Question

How to prevent site Hacks during the current "hacking war"

Asked by: WEBuilder

I have a few cilents that are Israel-based, and according to the news there are many terrorist groups that are working hard right now to hack Israeli sites. I just had one site get hacked: the hacker placed a new index.html file on the server, and his content came up instead of my client's.

How did he do this? It wasn't an SQL injection attack - I am used to those. This site was hacked previously, and I changed the password to a new one that contained upper case, lower case, numbers and symbols. Is it possible they discovered the password again?

How can I best protect this client against future hacks? Do any "hacker proof" services work?

Thanks.

Lev

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-01-05 at 23:16:38ID24027501
Tags

FTP HSPHERE HACK WEBSITE

Topics

Networking Security Vulnerabilities

,

Microsoft IIS Web Server

,

File Transfer Protocol (FTP)

Participating Experts
3
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Hack Proofing Computer
    Is there any software that can help prevent hackers from getting into my system? Or software that can show me who is connected to my computer?
  2. Hacker-proof login-script?
    I've made a login-script which I consider hacker-proof. But I've known to be mistaken before, so I hereby grant permission to fire your hacker tools, key-loggers, session-snatchers, IP-spoofers and what-not at my script and see if you can hack into it. The login is located a...
  3. Browser Wars
    Well, it looks like Google might be working towards making its own browser: http://www.internetnews.com/bus-news/article.php/3412931 Also looks like Microsoft has started real work on IE7. The question is this: For all web developers that know the programming, it's been a ...
  4. VirtualHosts were hacked
    Hi Experts, last night, my webserver( redhat linux 7.2) was hacked. The index of the 70% virtualhosts on this webserver were replaced by ' Infektion Group Cyber Terrorist Division Attack by Dominus_Vis'. How can I prevent it happen again? Thank you in advance! shumei2k

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: NeoDiffusionPosted on 2009-01-06 at 00:20:23ID: 23302609

Hello,


The hack source is probably:
"This site was hacked previously, and I changed the password to a new one that contained upper case, lower case, numbers and symbols. "

--> at which level have you modified password(s)? (ftp? backend? htaccess?, ...)

the previous hackers probably left more than an index.html file, namely one or more backdoors. My recommendation:

  • sanity: make an file snapshot (zip whole site) and copy locally. Bitwise compare with a copy you know as safe (far before first attack). This is a huge work and requiring a reliable archive, an alternative is to run an antivirus software on your snapshot (and possibility on a database dump). Norton Antivirus for instance used to know several web backdoors. 
  • curative: the only way to make sure you do not leave any backdoor is to re-install the whole site from scratch. This is however a huge work to get the copy site at the same level as the original one. This is how I proceed: create from an empty repository a mirror of the site. If based on a CMS, download again the files, don't trust local files. Use as few archive files as possible, and check them for unexpected content before use. Once the mirror is at the level of the original, swap them. Depending on your hosting plan, it can be as simple as 2 mv commands... 
Last time I've worked on an infected site, there were over 10 backdoors/spam engines on the website, and still not sure to have catched all of them.

Of course, it is also possible that you simply have an unfixed  vulnerability. If using a CMS, look at http://secunia.com/advisories/ for security advisories.

In all case, look at the raw server logs around the time the file got modified (few hours before/after). Seek for strange formed URL (GET or POST). If your site hadn't a index.html before the attack, look at the first mention of "index.html" to see the attack point...

Good Luck,

Werner.

 

by: servoadminPosted on 2009-01-06 at 01:20:57ID: 23302835

If you try to protect your server in 100 ways..Hackers try to find a 101 way to intrude into the server...Its a race that will stay on till the end....  As of now the hack attemp carried out on your site cab be achieved by .

1.WebDev ( Http compromise)
2. Trojen through compromised CSS files in your server.
3. Weak Passwords ( If you notice in depth sites that were hacked should have got very weak passwords in that server..We have seen that sites in same server with strong passwords escaped from this kind of attack)
4. Scripts and Executables enabled with backdoor trojan atack...
5. NO FIREWALL IN YOUR SERVER.
6. Sites or Users having permissionover "CMD"
7. EXE file execution Allowed.
8. Make sure to scan your server throughlly ...Most Trojan's or virus files are hidden or attached in zip files and CSS scripts...check them .....
9. Have very Strong Password..

Last but not at all the least.... Have Firewall installed in your server and spo the Attackers IP from the HTTP request used to upload the files ( using PUT method) from IIS logs and block them imdtly...

You can very well trace the IP location and ISP from their IP and Block a whole IP range for safty...

I would not like to recomend any firewall..But I have personally used Visnetic Firewall (3) when 5 of our servers came into attack.... The best part is that I had a chance to chat with the hacker as and when he was uploading the files in our server and I could not stop him finally till I banned his IP in FW .... So be carefull USE FIREWALL FIREWALL and scan server with latest security and AV updates...

 

by: WEBuilderPosted on 2009-01-06 at 01:37:25ID: 23302885

I went to look at the log files, but they were all erased!

The files that still remained had a date of 6-Jan-09 01:08 as the first time, and the index file from the hacker was at 01:06! So after depositing the index.asp, they deleted the logs.

Not good.

I am looking at the other solutions, such as confirming that there are no extra files.

 

by: NeoDiffusionPosted on 2009-01-06 at 02:09:07ID: 23303012

> I went to look at the log files, but they were all erased!
This is alrady an information in itself: they got admin "access" on your server, not only as user apache (or whatever depending on the configuration you're running).

For the fix, a fresh (server) install, not forgetting to check for security updates is the more efficient one, but this is a huge work.

To prevent futur attacks, look at servoadmin advices.

An alternative is to go for a hosted service, provided you can afford this (technical, commercial and policies requirements), where you delegate all server level maintenance, and focus on the "application" layer.

 

by: TolomirPosted on 2009-01-06 at 02:27:46ID: 23303095

It might be a good start to use a log server that gets all the logs from your websites.

Combine http://www.balabit.com/network-security/syslog-ng/ with a ssh tunnel.

Tolomir

 

by: servoadminPosted on 2009-01-06 at 02:40:13ID: 23303143

cool...nevermind...Just check the latest forums or post the attacker notes here so that we can find some information on net or general forums were some one might have posted their IP address for others to save their servers...

 

by: servoadminPosted on 2009-01-06 at 02:46:55ID: 23303170

-----> Is this relevant ...Hackers notes similar to the one in your server...

http://www.zionismontheweb.org/hackers/attacked/

----> If the above is true..check the below notes for IP address and block them...

http://www.zionismontheweb.org/hackers/attacked/ip_address.htm

 

by: WEBuilderPosted on 2009-01-06 at 03:15:26ID: 23303314

Tolomir: I am on a shared hsphere server. Does the log solution work in such a situation or not?

Hacked index file is attached

<html>
<head>
<title>:: Hacked by CWD@rBe for islam for gazza for palastine ::</title>
<meta http-equiv="Content-Type" content="text/html; charset=">
</head>
<td height="65"> 
      <div align="center"><font color="#FFFFFF"><b><font face="Arial, Helvetica, sans-serif" size="6" color="#FF0000">&quot; 
Hacked by CWD@rBe"" <br>
""Turkish Cyber Hizbullah Militan"" <br> HAMASA SELAM DÝRENÝÞE DEVAM !!!
<br>ALLAHU AKBARRR !!! <br>ALLAHU AKBARRR !!!<br>ALLAHU AKBARRR !!!</font></b></font></div>
    </td>
 
    </tr>
    <tr>
<body bgcolor="#000000" text="#000000">
<table width="75%" border="1" align="center" bordercolor="#999999">
  <tr> 
 
      
    <td><img src="http://img399.imageshack.us/img399/3396/imzarq1mo4.jpg" width="630" height="198"></td>
    </tr>
    <tr>
      <td>
 
        
      <div align="center"><img src="http://www.islamigundem.com/images/stories/haber/manset/gazze_icin_ayaga.gif" width="540" height="292"></div>
      </td>
    </tr>
    <tr>
 
 <div align="center"><img src="http://site.mynet.com/sehidlerolmez/mynet_resimlerim/israilbayrak.gif" width="150" height="112"></div>
      </td>
    </tr>
    <tr>
      
    <td height="65"> 
      <div align="center"><font color="#FFFFFF"><b><font face="Arial, Helvetica, sans-serif" size="4" color="#FF0000">&quot; 
Allah ve Rasulune karsi savasan ve yeryuzunde fesat cikarmaya calisanlarin cezasi, 
        ancak oldurulmeleri veya asilmalari yahut ayak ve ellerinin caprazlama 
        kesilmesi, ya da yeryuzunde baska bir yere surgun edilmeleridir. Bu, dunyada 
        onlar icin bir zillettir. Ahirette ise onlar icin buyuk bir azab vardir.&quot; 
        [Maide: 33]</font></b></font></div>
    </td>
 
    </tr>
    <tr>
      
    <td height="74"> 
      <div align="center"><font color="#FFFFFF" face="Arial, Helvetica, sans-serif" size="2"><b><font size="4" color="#FF0000">&quot;The 
        punishment of those who wage war against Allah and His Messenger, and 
        strive</font><font size="4"> <font color="#FF0000">with might and main 
        for mischief through the land is: execution, or crucifixion, or the cutting 
        off of hands and feet from opposite sides, or exile from the land: that 
        is their disgrace in this world, and a heavy punishment is theirs in the 
        Hereafter&quot;<br>
        [Al-Maida: 33] Allahu Akbar!!!</font></font></b></font></div>
    </td>
    </tr>
 
    <tr>
      
    <td>&nbsp;</td>
    </tr><p align="center">
    </p>
  </table>
<BGSOUND SRC="http://www.tur-as.com/kudusgunu.mp3" LOOP=50>
</body>

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:

Select allOpen in new window

 

by: servoadminPosted on 2009-01-06 at 03:37:11ID: 23303403

Among other CP's Hsphere always prone to hackers and once compromised leads to big probs as this is the cluster CP (Win + Lin)  .. I guess the PWDs are not at all strong and allows users to have any PWD..very simple...that other CPs that force users to have strong PWDs....

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...