What To Do When Your Web Server Gets Hacked

This question keeps being asked repeatedly by the victims of hackers breaking into their web server. The answers very rarely change, but people keep asking the question. I’m not sure why. Perhaps people just don’t like the answers they’ve seen when searching for help, or they can’t find someone they trust to give them advice. Or perhaps people read an answer to this question and focus too much on the 5% of why their case is special and different from the answers they can find online and miss the 95% of the question and answer where their case is near enough the same as the one they read online.

That brings me to my first important nugget of information. I really do appreciate that you are a special unique snowflake. I appreciate that your website is too, as it’s a reflection of you and your business or at the very least, your hard work on behalf of an employer. But to someone on the outside looking in, whether a computer security person looking at the problem to try and help you or even the attacker himself, it is very likely that your problem will be at least 95% identical to every other case they’ve ever looked at.

Don’t take the attack personally, and don’t take the recommendations that follow here or that you get from other people personally. If you are reading this after just becoming the victim of a website hack then I really am sorry, and I really hope you can find something helpful here, but this is not the time to let your ego get in the way of what you need to do.
You have just found out that your server(s) got hacked. Now what?

Do not panic. Absolutely do not act in haste, and absolutely do not try and pretend things never happened and not act at all.

If you’ve read my previous post about risk management, or any of the much better articles about risk management out on the web, you’ll understand that the disaster has already happened. This is not the time for denial; it is the time to accept what has happened, to be realistic about it, and to take steps to manage the consequences of the impact.

Some of these steps are going to hurt, and (unless your website holds a copy of my details) I really don’t care if you ignore all or some of these steps but doing so will make things better in the end. The medicine might taste awful but sometimes you have to overlook that if you really want the cure to work.

Stop the problem from becoming worse than it already is:

  1. The first thing you should do is disconnect the affected systems from the Internet. Whatever other problems you have, leaving the system connected to the web will only allow the attack to continue. I mean this quite literally; get someone to physically visit the server and unplug network cables if that is what it takes, but disconnect the victim from its muggers before you try to do anything else.
  2. Change all your passwords for all accounts on all computers that are on the same network as the compromised systems. No really. All accounts. All computers. Yes, you’re right, this might be overkill; on the other hand, it might not. You don’t know either way, do you?
  3. Check your other systems. Pay special attention to other Internet facing services, and to those that hold financial or other commercially sensitive data.
  4. If the system holds anyone’s personal data, make a full and frank disclosure to anyone potentially affected at once. I know this one is tough. I know this one is going to hurt. I know that many businesses want to sweep this kind of problem under the carpet but I’m afraid you’re just going to have to deal with it.

Still hesitating to take this last step? I understand, I do. Nevertheless, let me break this down for you Robert-style:

In some places you might well have a legal requirement to inform the authorities and/or the victims of this kind of privacy breach. However annoyed your customers might be to have you tell them about a problem, they’ll be far more annoyed if you don’t tell them, and they only find out for themselves after someone charges $8,000 worth of goods using the credit card details they stole from your site.

Remember what I said in the previous section? The bad thing has already happened. The only question now is how well you deal with it.


How To Integrate Modern Macs To A Windows Network

A walk through of the steps needed to join an OS X 10.3 or 10.4 client to a Windows 2000 or Windows 2003 domain.

Any time you see a Star [*] symbol in the text, this is a link to a screenshot of what is being discussed.

  1. Setup (on the Windows DC)
  2. Open Active Directory Users and Computers (ADUC)[*] and decide on a location for the Apple Mac’s computer account. Best practice suggests creating an OU for Apple computer accounts.
  3. Create a computer account, giving it the name that you want to use for the Apple computer on your network – do not assign a GUID to make it a ‘managed’ account.
  4. Close ADUC

Setup (on the OS X client)

  1. Login with an account that has admin access to the computer.
  2. Open System Preferences and open the Sharing tab.
  3. Check that the computer’s name is the same as the one we just used in ADUC. [*]
  4. Click Show All
  5. Click Network. Select your active connection, and click on TCP/IP
  6. (If you are using DHCP then some or all of this information is possibly already delivered by your DHCP server – check with the DHCP admin)
  7. Type in a suitable IP address, subnet mask, router address.
  8. Type in a DNS server address – ENSURE that at least the first DNS server in the list corresponds to an Active Directory DNS server.
  9. Click on Search Domains, Fill in your active directory domain.
  10. Click Apply Now.[*]
  11. Click Accounts, then click Login Options, authenticating with your LOCAL admin account if asked.
  12. “Under Display Login Window As” select “Name and Password”.[*]
  13. Close System Preferences.

Testing that the client computer can “see” the network.

  1. Open the finder, and navigate to the utilities folder inside applications.[*]
  2. Open the terminal, and ping domain controllers by NETWORK NAME to ensure that DNS resolution is working properly within your domain.
  3. Ensure that name and IP are resolved correctly and that the ping actually works. [*]
  4. Stop the ping and close the terminal when done.


Binding the Mac client to the Windows Domain

  1. Run the directory access tool, which is also in the utilities folder.
  2. Tick “Active Directory”, then click Configure. [*]
  3. Fill in the Fully Qualified Domain Name of the Active Directory namespace (note, NOT the Active Directory Domain Controller!).
  4. Fill in the Computer name of the Mac. This should be the same as the one we setup earlier in ADUC on the Windows Server, and configured the mac to use in system properties. [*]
  5. Click BIND. Authenticate with your local Admin password if asked to do so.
  6. Next, fill in the details of a Windows User Account with permissions to add computers to the domain. Typically this will be an admin’s account.
  7. IF you DID NOT pre-create a computer account for the Apple Mac, then fill in the Computter OU with the details of where you’d like the account to be created, using standard LDAP notation.
  8. If you HAVE pre-created a computer account, then leave this as it is.
  9. Ensure that both tickboxes are ticked.
  10. Click OK [*]

The client will now attempt to bind to AD and join the domain.

  1. If you HAVE pre-created a computer account then you should be asked if you wish to use an existing computer account. Click OK, because that is exactly what we’re trying to do. [*]
  2. When the operation is finished, you can close Directory Access by clicking OK.
  3. At this time you can also click Advanced Options to inspect and configure custom settings. I strongly suggest leaving these alone if you don’t know what they mean or why you would want to change them. [*]
  4. Logout.

If all goes well you should now be greeted with a login window that expects you to type in your username and password [*] instead of selecting from a list.

You should now be able to log in with an Active Directory account by typing in the username and password in the traditional manner, and you can also login with a local account by specifying their username and password in the same way.