Best practices to respond to a security incident

Engage your system integrator and appropriate security personnel to conduct investigation and remediation efforts.

Determine the scope of the attack:

• Was credit card information accessed?
• What information was stolen?
• How much time has elapsed since the compromise?
• Was the information encrypted?

Try to find the attack vector to determine when and how the site was compromised, by reviewing server log files and file changes.

• In certain circumstances, it may be advisable to wipe and reinstall everything or, in the case of virtual hosting, create a fresh instance. Malware could be hidden in an unsuspected location just waiting to restore itself.

• Remove all unnecessary files. Then, reinstall required files from a known, clean source. For example, you can reinstall using files from your version control system, or from the original distribution files from Adobe.

• Reset all credentials, including the database, file access, payment and shipping integrations, web services, and Admin login. Also reset all integration and API keys and accounts that might be used to attack the system.

Audit Admin Action Logs.

The Action Logs Report displays a detailed record of all admin actions that are enabled for logging. Each record is time stamped and registers the IP address and name of the user. The log detail includes admin user data and related changes that were made during the action.

Analyze events with the Observation for Adobe Commerce tool.

The Observation for Adobe Commerce tool allows you to analyze complex problems to help identify root causes. Instead of tracking disparate data, you can spend your time correlating events and errors to gain deeper insights into the causes of performance bottlenecks.

Use the Security tab in the tool to get a clear view of potential security issues to help identify root causes and keep sites performing optimally.

Analyze logs with New Relic Logs

Adobe Commerce on cloud infrastructure Pro projects include the New Relic Logs service. The service is pre-configured to aggregate all log data from your Staging and Production environments to display it in a centralized log management dashboard where you can search and visualize aggregated data.

For other Commerce projects, you can set up and use the New Relic Logs service to complete the following tasks:

• Use New Relic queries to search aggregated log data.
• Visualize log data through the New Relic Logs application.

Review Admin user access—Remove old, unused, or suspicious accounts and rotate passwords for all Admin users.

Review Admin security settings—Verify that Admin security settings follow security best practices.

Review user accounts for Adobe Commerce on cloud infrastructure projects—Remove old, unused, or suspicious accounts and rotate passwords for all cloud project Admin users. Ensure that account security settings are configured correctly.

Audit SSH keys for Adobe Commerce on cloud infrastructure—Review, delete, and rotate SSH keys.

From the Admin, review the HTML Header and Footer configuration in all scope levels, including website and store view. Remove any unknown JavaScript code from the scripts and style sheets, and miscellaneous HTML settings. Retain only recognized code such as tracking snippets.

Compare the current production code base to the code base stored in the Version Control System (VCS).

Quarantine any suspicious code.

Ensure that there are no remnants of suspicious code by redeploying the codebase to the production environment.

Review any stored procedures for modifications.

Verify that the database is only accessible by the Commerce instance.

Verify that malware is no longer present by scanning the site with publicly available malware scanning tools.

Secure the Admin panel by changing its name and verifying that the site app/etc/local.xml and var URLs are not publicly accessible.

Continue to closely monitor the site after the incident as many sites get compromised again within hours. Ensure ongoing log review and file integrity monitoring to quickly detect any signs of new compromise.