Security Incident Work

Emergency Response

Work Period: October 13-17, 2025

Prepared For: WASH Institute

Prepared By: Shreshth Mohan

Summary

• Emergency response following security breach of WASH Institute web properties
• Forensic investigation, server restoration, and root cause analysis completed
• Three detailed reports delivered with remediation action plan
• All sites restored to pre-attack state with GitHub backups established

1. WORK PERFORMED

OCT 13

Emergency Response

✓ Assessed security breach scope across all WASH Institute properties
✓ Implemented emergency redirects to protect users (coordinated with Amit)
✓ Quarantined compromised WordPress/PHP sites
✓ Initial attack vector identification

OCT 13-14

Forensic Investigation

✓ Analyzed server logs and access patterns
✓ Identified attack vector: form-based file upload vulnerability
✓ Created detailed technical timeline of the attack
✓ Compiled comprehensive list of 5,942 affected files
✓ Documented attacker's methodology and cleanup attempts
✓ Traced attack chain from initial compromise to full site infection

Deliverable:

Attack Investigation Report

OCT 14-15

Server Restoration

✓ Coordinated with Nitin for clean backup restoration (October 1st snapshot)
✓ Verified file integrity across all restored files
✓ Addressed GoDaddy IP address change issue
✓ Backed up MTU files to GitHub repository for version control
✓ Created GitHub backup of Urban site (WordPress files + database + assets)
✓ Confirmed all sites restored to pre-attack state

OCT 14-16

Root Cause & Security Analysis

✓ Identified primary vulnerability and contributing factors
✓ Analyzed attack chain and why existing defenses failed
✓ Researched WordPress security best practices and plugins
✓ Documented comprehensive lessons learned
✓ Created security comparison: WordPress/PHP vs Static HTML
✓ Developed prevention strategies and security checklist
✓ Analyzed trade-offs of static HTML approach

Deliverable:

Root Cause & Security Analysis Report

OCT 16

Stakeholder Consultation & Planning

✓ Call with Arvind to assess Urban site CMS usage and requirements
✓ Static conversion feasibility test (6 pages proof-of-concept)
✓ Collective decision on Urban site strategy (WordPress on isolated server)
✓ Evaluated migration options for all three sites

OCT 16-17

Remediation Strategy & Action Plan

✓ Developed three-tier priority-based remediation approach
✓ Created detailed implementation checklists for each site
✓ Researched and recommended WordPress security plugins (Wordfence, Patchstack, Defender)
✓ Documented resource requirements and cost estimates
✓ Defined success criteria for complete remediation
✓ Created decision framework for stakeholder approvals

Deliverable:

Remediation & Action Plan

2. DELIVERABLES

✓ Attack Investigation Report - Forensic analysis and timeline
✓ Root Cause & Security Analysis - Prevention strategies and security checklist
✓ Remediation & Action Plan - Implementation roadmap for all sites
✓ Affected Files List (5,942 files catalogued) ( TXT )
✓ Server restoration coordination and verification
✓ Site backups: MTU GitHub Repository | Urban GitHub Repository

3. COST

₹60,000 + GST

Professional services for emergency incident response and analysis