I've Been Hacked-What Now

=My server has been hacked...what do I do now?=

This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.

Anyone interested in contributing is welcome.

Identification
Basic principles:


 * Incident identification/notification may occur from a number of information sources (events):
 * Staff reporting unusual activity
 * Staff, clients or public reporting a problem
 * Technical teams/support discovering evidence of an incident on systems.
 * Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.


 * Roles:
 * A Security incident owner must be assigned.
 * A point of contact must be available to respond to incidents at all times.
 * A security incident owner must track the security incident to remediation and resolution.


 * Examples of an incident:
 * Virus/malware infection
 * Unauthorized system changes
 * Unauthorized application/web site changes
 * Unauthorized disclosure of client information or information leakage
 * Theft or loss of company information/assets


 * Examples of an event:
 * Reports from intrusion detection system/WAF/Firewall or log scraping system
 * Reports from vulnerability scanning/traffic monitoring/performance monitoring

Assessment
Incident severity :

Risk Rating


 * Low:
 * Events that cannot be 100% identified as attacks and have no effect on operations;
 * False activation of intrusion detection systems, WAF alerts etc
 * Non-repeated scans or probing from an external uncontrolled network


 * Medium
 * Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
 * Repeated active probing or parameter manipulation from an external or internal source.
 * Malware/rogue code/virus that has been successfully contained or removed

Resources
Cheat Sheet for Server Admin.

Checking Microsoft Windows® Systems for Signs of Compromise

SECURITY INCIDENT QUESTIONNAIRE FOR RESPONDERS

SAN's SysAdmin Cheat Sheet