I'm not super technical and it's not something I'll ever have to deal with but I'm curious; when a website is compromised how do you find out what they did and what data they took? Presumably the attacker will try and hide their tracks so I'm interested to know how you get a full understanding of what they did.<p>Additionally, is this something you prepare for, as part of a disaster recovery plan so to speak and what is your plan of action should an attack be carried out?
The first thing to determine is if only write access to the web site's document root was achieved or if the operating system itself has been compromised.<p>If your site was only defaced, you need to patch or reconfigure your web stack so it doesn't happen again. And restore your content from known good backups.<p>If the OS was compromised, you must format and reinstall everything. This is because 'root kits' may be undetectable once they are installed by attackers.<p>Depending on the risk to other systems, if the OS is not open source I always format and reinstall.
Unfortunately, unless you have a very deep understandning of your operating system AND you're logging audit to a REMOTE system, you should assume the worst and reinstall all reachable systems from scratch. Invalidate all ssh keys. Then check your databases for suspicious admin accounts before going live.<p>If not, how do you know if backdoors were installed, if the databases were modified, if local (known or unknown) exploits were used to gain root or if private ssh keys were stolen or used to gain access to other servers?