My website just got hacked... Someone is sending this using my server's IP!! How do I prevent this from happening again?? Please help...



One of the IP addresses attached to your domain attempted to break into
one
of my machines. I consider this a serious matter and request that you

cooperate in identifying the perpetrator and stopping this activity. I will

consider pursuing available civil and criminal remedies.
If you are peering with the destination ISP, you are also under an
obligation
to enforce terms of service that prevent such attacks.
This attempt is also being reported to CERT and US Federal CyberCrime unit.
This attempt was detected by Black Ice Defender. Times are UDT. Details:
39 2001-05-06 21:44:17 2003016 RPC TCP port
probe 209.217.54.61 www.certifyexpress.com
12.98.175.226
port=111&reason=Firewalled 3 A

If you didn't launch the attack, don't panic. Change your passwords on your server, back up all the logs and action history files, etc. Download them as well, onto your home system. Contact your ISP and someone that can assist you and get their help in tracking this user. This user may or may not have left logs of themselves. In fact, there likely isn't, as system crackers often run programs to alter the log files.

Nonetheless, time is of the essence. You need to change your passwords, get someone to go into the system and find out what's been done, how they got in and fix that security issue, and assist you in trying to determine where this user accessed you system from, what they did and try and clean the system up, if possible. Check your user file (depending on your OS) for any root user's that shouldn't be there. For example, in /etc/passwd, look for any users, other than root, that are in the user or group number of 0 (zero) and remove that user immdiately.

Try and get assistance with this as soon as possible, since there's many more things to do. The point is, until you get that assistance, you should do what you can to backup any logs or evidence before the person can remove their information from the logs, if that hasn't already happened. If I knew of a site off hand, I'd suggest one, but CERT.org likely has some "okay" information on intrusion detection and other such relevant advice and information in regards to tracking offenders and system security violations.

Surely, a search using your favorite search engine (Google.com, for example) and typing in the relevant key words or phrasings will find results on the type of OS you have and what steps to take. Sorry, it's 6:30 AM here and I need sleep, so I'm not able to sit here and type out many helpful suggestions.

It seems I've received lots of e-mails from everybody. :angry: This is getting very serious....

I've change my password, installed the latest patches for my server, installed SSH... Whats next?

More than likely if they got into your system and they installed a root kit and back door access, which mean you can tighten up security around the server as much as you want but theres a hidden door on there that is always open for the hacker/cracker to come in as he/she pleases, youll have to reformat your system with a fresh OS install. There are some utils that hep look for signs of root kits I forget the urls though, Tim might know.

Read this article: http://www.cert.org/tech_tips/root_compromise.html

It is a good article, but ultimately, you will need to reinstall from scratch to make sure your 100% safe. Also, being hacked tells you that you left security holes open. You should make a check list of everything your installing and you should verify that every patch for the products on your check list has been applied.

Format my OS??? Wow sounds like I'll have to spend my entire week working on it. :bawling:

A way of identifying rootkits is typing "ps -u root" and show all processes under root. If anything looks rather strange kill the process. This usally works and disables the backdoor.

http://www.chkrootkit.org/

This tool checks locally for signs of rootkits. If you are running telnetd, you might want to disable it as kerberos has been known to be exploited through telnetd.

if you need help in securing of linux and freebsd, feel free to email me at gazerguy@swbell.net.