TYPO3 website hacked - where to start, what to do - by Marcus Krause <marcus@t3sec.info>
Example: defacement
Overview <ul><li>Immediate action
Prepare forensic analysis
Restore website
Information gathering
Report
Stay secure in future </li></ul>
Immediate action <ul><li>Take down your website (disable virtual host / HTTP status code 503)
Inform administrator or web hoster
Scan you PC for malware/spyware
No publicly discussion (forums, mailing lists; there is no help anyway) </li></ul>
Prepare forensic analysis <ul><li>Grab device image
Upcoming SlideShare
Loading in …5
×

Typo3 website hacked

7,175 views

Published on

TYPO3 website hacked - where to start, what to do

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/Setupexe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
7,175
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
56
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Typo3 website hacked

  1. 1. TYPO3 website hacked - where to start, what to do - by Marcus Krause <marcus@t3sec.info>
  2. 2. Example: defacement
  3. 3. Overview <ul><li>Immediate action
  4. 4. Prepare forensic analysis
  5. 5. Restore website
  6. 6. Information gathering
  7. 7. Report
  8. 8. Stay secure in future </li></ul>
  9. 9. Immediate action <ul><li>Take down your website (disable virtual host / HTTP status code 503)
  10. 10. Inform administrator or web hoster
  11. 11. Scan you PC for malware/spyware
  12. 12. No publicly discussion (forums, mailing lists; there is no help anyway) </li></ul>
  13. 13. Prepare forensic analysis <ul><li>Grab device image
  14. 14. Backup filesystem
  15. 15. Backup database
  16. 16. Backup logs </li></ul>
  17. 17. Restore website <ul><li>Set up new server / virtual hosting
  18. 18. Restore website from backup
  19. 19. Clean up infected website if no backup is existing
  20. 20. Hire someone who will clean infected website
  21. 21. Update server environment / web applications (TYPO3 core, TYPO3 extensions) </li></ul>
  22. 22. Information gathering <ul><li>Hire somebody for forensic analysis OR
  23. 23. Collect as much information as possible and report to TYPO3 Security Team </li></ul>
  24. 24. Information gathering <ul>TYPO3 Security Team <li>Known vulnerability?
  25. 25. New attack vector? </li></ul>
  26. 26. Information gathering <ul>Questions <li>Local PC was infected by malware/spyware?
  27. 27. What happened? (defacement, etc)
  28. 28. Where has it happened? (shared hosting, dedicated server)
  29. 29. When has it happened?
  30. 30. Strange data or behaviour?
  31. 31. Any other web application besides TYPO3?
  32. 32. Up to date in regards to TYPO3 advisories?
  33. 33. Versions of TYPO3 core & TYPO3 extensions? </li></ul>
  34. 34. Information gathering <ul>Logs to consider <li>TYPO3 sys_log table entries
  35. 35. web server access logs
  36. 36. PHP error logs
  37. 37. modsecurity logs
  38. 38. list of unexpected files or files with a strange access/modification time
  39. 39. OS logs (auth, audit, messages, secure)
  40. 40. IDS logs
  41. 41. AIDE/tripwire reports </li></ul>
  42. 42. Report [email_address]
  43. 43. Stay secure in future <ul><li>Change passwords (hosting account, TYPO3 user accounts)
  44. 44. Stay up to date in regards to advisories
  45. 45. Keep local PC clean
  46. 46. Use secured file transfer (FTPS, SFTP, SCP)
  47. 47. Use SSL / sysext:rsa to access administration interface
  48. 48. Harden your server (SELinux, chroot, CGI PHP, FCGID, suEXEC, Open Basedir, ModSecurity, PHPIDS, TYPO3 Security Cookbook) </li></ul>
  49. 49. Questions <ul>? </ul>

×