As a Cyber security specialist of my organization once I had to recover a website that was under attack .Generally this tasks are handled by Incident Response Team in big corporation. Though I am more in offensive side but as a small organization I have to carry blue teaming operations as well. Now I am going to share my experience and how you can recover from this attacks....
Let's know first what is website defacement.
Web defacement is an attack in which malicious parties penetrate a website and replace content on the site with their own messages. The messages can convey a political or religious message, profanity or other inappropriate content that would embarrass website owners, or a notice that the website has been hacked by a specific hacker group.Most websites and web applications store data in environment or configuration files, that affects the content displayed on the website, or specifies where templates and page content is located. Unexpected changes to these files can mean a security compromise and might signal a defacement attack.Common causes of defacement attacks include:- Unauthorized access ,SQL injection, Cross-site scripting (XSS) ,DNS hijacking , Malware infection, Protocol fuzzing etc. Some example of website defacement are:-
Finding process of a Web-defacement attack that I gone through ......
I was working under a scenario where the attacker used protocol fuzzing and entered into the system.so first what I did was to check the SEIM (Security Event and Incident Management) for finding out the situation.Not all organization provide SEIM so you might have to go through several endpoint to find out. First step is to find the infected server and source of attack. After finding out the source I got some suspicious IP's and also check where that IP address tried to do something in our network. When I found the infected server in your case any endpoint we should immediately start to work on that. In my case the hacked server which the website was hosted on.
Second important thing is the firewall.Because everything is controlled by the firewall in and outside of the network according to the rules set by an organization. System logs,network logs generated are save by the firewall. By checking firewall logs we can determine if the IP passed DMZ(demilitarized zone) or MZ(militarized Zone). So when I went to that infected server first I had checked the system logs of the server. From that I went to check authentication log for finding out if the attacker authenticated. we can grep the result by the attackers IP from log results- cat auth.log | grep 199.203.x.x
We can also check sockets to find out if any connection is established by the attacker. The command is ss -apn4 | grep 199.203.x.x and it will look something like this .......
After checking all of that I went to the servers configuration file to see where the website's folder in the server is. After going into the websites folder I noticed in the index.html he changed servers content file with his own file. we can also search if he used the file elsewhere than this folder. The command is find / -name (filename) . I saw that he has also put it in /tmp directory. Actually /tmp directory is very common for the hackers to use as it's safe and usually do not get suspected as the other important folders. I removed both of the file. In other scenario this could be happen in multiple folders. I removed them all as I find out other suspicious things. That was my case how I restored the website back. In your case the scenario could be different but the mitigation are very important to prevent future attacks like this.
So the Mitigation/Remediation I would prefer for this situation :-
First, we will delete the infected directories because there could be hidden services/files .
Second, we will block the attackers IP from the firewall from both inbound and outbound so that he can't run further attack or steal credentials. Even if he remains in the network he can't take away data from our network. when setting the firewall rules any traffic from the ip should be set to drop not deny. Because if we set the rule to deny it will send back ICMP type 3 reply "Destination host unreachable" to the attacker and we don't want that. we will simply set rule to drop the packets which will send nothing and just drop any packet is sent. Lastly We will commit the rule's we just set in the firewall.
I did learned a lot from this incident as an apprentice working with my team. Some time this small incidents can bring disaster to an organizations as well as their reputation and trust to their people. As a cyber security specialist our job is to save organization from this unwanted situation and keep ourselves up to date with the world. Thank You...