This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "I've Been Hacked-What Now"

Jump to: navigation, search
m (My server has been hacked...what do I do now?)
Line 57: Line 57:
==Lessons Learned==
==Lessons Learned==
==Event Correlation and Aggregation (Streamlining)==
==Event Correlation and Aggregation (Streamlining)==
[ Cheat Sheet for Server Admin.]
[ Checking Microsoft Windows® Systems for Signs of Compromise]
[ SAN's SysAdmin Cheat Sheet]

Revision as of 07:39, 24 November 2008

My server has been hacked...what do I do now?

This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.

Anyone interested in contributing is welcome.


Basic principles:

  • Incident identification/notification may occur from a number of information sources (events):
    • Staff reporting unusual activity
    • Staff, clients or public reporting a problem
    • Technical teams/support discovering evidence of an incident on systems.
    • Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.
  • Roles:
    • A Security incident owner must be assigned.
    • A point of contact must be available to respond to incidents at all times.
    • A security incident owner must track the security incident to remediation and resolution.

  • Examples of an incident:
    • Virus/malware infection
    • Unauthorized system changes
    • Unauthorized application/web site changes
    • Unauthorized disclosure of client information or information leakage
    • Theft or loss of company information/assets
  • Examples of an event:
    • Reports from intrusion detection system/WAF/Firewall or log scraping system
    • Reports from vulnerability scanning/traffic monitoring/performance monitoring


Incident severity :

Risk Rating

  • Low:
    • Events that cannot be 100% identified as attacks and have no effect on operations;
    • False activation of intrusion detection systems, WAF alerts etc
    • Non-repeated scans or probing from an external uncontrolled network
  • Medium
    • Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
    • Repeated active probing or parameter manipulation from an external or internal source.
    • Malware/rogue code/virus that has been successfully contained or removed


Evidence Collection

Forensic Analysis


Incident Follow-up

Lessons Learned

Event Correlation and Aggregation (Streamlining)


Cheat Sheet for Server Admin.

Checking Microsoft Windows® Systems for Signs of Compromise


SAN's SysAdmin Cheat Sheet