A brief background on my website: It's a social networking website built on Drupal with Red5 installed as well as a Flash Chatroom Client. It has an ASF Firewall.
Tonight I was logged in under two seperate accounts in my home, one on my desktop and one on my Macbook. I was sitting in the chatroom under both usernames and I went to go take care of a few things. I returned a short while later to find that both of my usernames had been banned.
This immediately raised serious concerns in my mind as I knew that there was at least one individual who had expressed desires to cause harm to my website in the past through a chat log that I'd been sent from an acquaintance.
I went and investigated further and found that it was my third account who had banned everyone. Myself and my website developer are the only two people who have access, currently, to administrative accounts for the website and the chatroom.
I immediately deleted the account that had banned us both from the database, removed administrative abilities from my secondary account, and changed the password with a password generator on my primary account.
I called my hosting provider and informed them of the incident and request an IP log as well. I scanned through the IP log, checking every single IP in the log with an IP Address Locator.
One of the IP's in the log matched the location of the individual with malicious intentions as I'd looked at the analytics and statistics on his website in the past and noted both his name and the town/state that his "office" was located in.
I focused in on the activities of this one IP and found that it had indeed entered the chatroom, invisibly, as one of my administrative accounts. I called my hosting company back and asked them to ban this particular IP at the firewall so that at least they would need to refresh their IP or go through a proxy server.
I've done further research and I now have this individual's full name, full address, and both telephone numbers and I've also requested the IP log for this individual IP sent to me as a file by my hosting provider so I can burn it to a disk.
My website developer and I, as I stated earlier, are the only two people who would have access and I'm running a full, thorough virus scan as I'm typing this to ensure that I haven't been hit with a trojan or a keylogger of some sort despite the fact that I haven't visited any websites that I don't already visit on a daily basis since well before I started this website.
I'm not really sure how they could've possibly gained access to one of my administrative accounts on the website.
My question is what else is there that I can do to try and mitigate the changes of something like this happening in the future?
Well if there's a bug in your software that he found and it allowed him to do this the most important thing would be to either figure out how he got in with your logs since you have his IP or else maybe hire someone to PEN test the site and see what they come up with.
You CP should have the logs of the visits.
So you can check that there. More important know the reason of that. I would recommend you check if there is last and updated version of web application used. Good luck
Is your Drupal installation updated? I know a user of ours had their site compromised a couple weeks ago and their admin password was changed so they couldn't get into the site and a couple new users were added. Not exactly what happened with you, but certainly similar. They were running an outdated Drupal version.
BuyHTTP Internet Services - In business since 2003 Business Hosting | nginx, CloudLinux, Varnish cache, and CDP with every business account
Shared, Reseller, Semi Dedicated, VPS, Cloud, Dedicated - We can grow with you