Case Study of a Hacked Client

A client came to us after their site was hacked. The hacker gained access to their site and stole multiple credit cards. With the credit card companies asking for an explanation, they hired NuEthic to do the investigation.

Investigation: We needed to figure out where the point of penetration was first. We went through all of the server logs from the last month, and couple IPs stood out to us. So we continued to follow the bread crumbs of that IP. The logs showed us a lot of information that we needed. It showed a couple points where there was information uploaded and downloaded. Tracing the files through the server, we found some code that would send off the credit card information from the checkout page. We also found an empty image file from a product that no longer being used. It was not uncommon that the client had old images in their database that were not being used. What was special about this old image was it was empty, as in it no longer contained regular image information. We believed this was set up to store stolen credit card information, which would be downloaded later. The continuous sending of credit card information was what tipped us off to this particular IP in the first place.

The Fix: So the first thing we needed to do was to fix the static files in the checkout that had been hacked. We noticed that there was a robot that was scheduled to hack the site every 20 minutes, and re insert the hacked code. So we set up a cron job to refresh the static files at the same time to counter it while we tracked the intrusion. We knew that the next course of action was to block off any chances of this hack to happen again. Nuethic then changed the admin URL to something different, and we audited all of the admin passwords just as a precaution. Then the next difficult part was. We didn’t feel good about just finding the issue and removing it we wanted to make sure we did everything possible to prevent this from happening in the future. So we shut down the site, copied the database, and moved it to a different server. Once we finally movied the site, we took even more precautions. We wrapped the site in a security programs, scheduled security scans with the new host, and then we updated the core code of the site.

Today: Today the client is safe. Their site is functioning well and there has not been another card stolen from their site. With our fast action, and creative investigations, we were able to get the client fixed and moved to another host safe within 2 days.