Your website has been hacked. A fairly obvious question is how was it hacked. Can you determine that? The short answer is maybe.
Another short answer is that many people you might bring in to deal with that won’t try to do that. They should. So why don’t they? A lot of them are using automated tools to do cleanups and they don’t have the expertise to try to figure out how it was hacked. Doing a (possibly poor quality) automated hack cleanup is cheap, having employees who do the work to try to determine how it got hacked, isn’t so cheap. There are further reasons they don’t do this. Many security providers’ businesses are built around security remaining poor, so finding and fixing new vulnerabilities isn’t a great for them. There is also the issue that many providers are partnered with sources of insecurity. One provider, Sucuri, is owned by GoDaddy, who admitted, belatedly, that their own insecurity got lots of customers’ websites hacked. Unsurprisingly, Sucuri doesn’t really try to figure out how websites are hacked.
Your best chance of figuring out how a website is hacked is bringing in someone who has experience trying to determine that as soon as possible. The longer you wait, the more likely that evidence, particularly logging, will be gone. If you bring in someone after a cleanup has been done, that will further limit the evidence available.
We wouldn’t recommend trying to figure this out yourself. We often deal with people that have to varying degrees tried that. We often find that they are suggesting possible sources of the hack that are not really possible or would be highly unlikely.
Even if you bring in someone who has a lot of experience doing this, they may not be able to determine the source of the hack, not because of a fault on their part. The fault is that there isn’t the evidence needed to determine this. For example, if a web host is getting hacked, most of the evidence of that would only be available to the web host. So someone else would only have circumstantial evidence to work with.
Even if the source can’t be determined, it is important to try to determine the source of the hack. A large reason for that we have found is that it helps to make sure the hack is fully cleaned up. We are often brought in to re-clean websites where there wasn’t attempt to determine that and when we do that we find parts of the hacked that were missed before.