Once you’ve identified a Malware attack has occurred, whether it be via an IoC similar to above or a system that flags an issue, there are definitely a number of actions you should take:
1) Assume all your environment is compromised:
If an attacker or hacker has already entered the server or website, is most likely that they will try to get more credentials to have even more access. These things cannot be seen and you must prepare for the worst and also seek for expert advice.
2) Force a password reset:
For all the users in that system, or people who are administrators. Even if it is a user with low privileges it needs to be reseted (including yourself).Not all hackers take what they need and leave. Occasionally hackers may continue accessing your account, either to monitor your data or continue stealing information over time.
3) Audit remaining users:
It is not enough to update their passwords. You need to look at their database configurations. Do you recognize the name and emails associated with the user? If you reset a user password, but the attacker changed the email, using the forgot password function will negate your password reset action.
4) Replace CMS core files:
Operating under the guise that everything is compromised, replace the core installs for your CMS. When working in platforms like WordPress – wp-admin and wp-includes should be safe if your developers are following best practices; if using Joomla, you are looking to stay within the includes and libraries directories. Anything beyond that could be risky without professional help.
5) Check integrity of extensions:
Regardless of the CMS you are using, almost all are built on an extensible architecture allowing you to add and configure a series of plugins, themes, templates, extensions, modules and components. It is important to take the time to a) reinstall if possible, or b) go through the files and directories to look for any potential integrity issues.
6) Enable TFA / MFA authentication on access control nodes:
Most CMS applications facilitate some form of Two Factor / Multi-Factor Authentication via one of their plugins, modules or extensions. Research the ones that make the most sense that you can fit into your everyday routine painlessly.
7) Restrict access by location:
This is often the most contentious for website owners: restricting access. It throws a wrench into the idea that they can be anywhere at anytime, but in reality it’s rarely the case; it’s more the idea of being able to have that freedom than an actual need. If possible though, it’s highly recommended.
8) Perform some level of forensics:
If in a situation where an IoC has flagged a possible compromise, you are actually in a very good position. This means you know exactly when the user and file were added. This is huge when thinking about this from a forensics perspective and means you can build a timeline of events and know exactly where to look for things in your logs. This is not always possible, but is recommended.
9) Employ a Website Firewall at some level:
Whether employing ours, or someone else’s, it is an important step. The reason being that all the recommended actions above will be moot if the attacker is or was able to exploit a vulnerability. The forensics would be able to identify the potential entry point, beyond the access node, but it is reactive not proactive. Therefore, how will you address the unknowns moving forward? For the more technical minded, this might be a fun challenge, but for the everyday website owner like most of you it will be a nightmare.
These are nine basic steps you need to follow in order to reduce, detect and even stop a malware attack. In case you detect a slight suspicion of something wrong in your website, application or server, you must know what will be the first step you need to follow before is too late. Expert advice is the most acquire answer to malware attacks so, you can get in touch with us any time. We hope these actions of how to do during a malware attack help you to detect on time any inconvenient. If not, let us know your experience during malware attacks and do not forget we are experts at Malware Removal.