bengoa
asked on
Web Server Hacked
Hi all,
Yesterday, our web server was compromised by Turkish Hackers. They were able to deface (on a secondary page) all of them with a message showing the Turkish flag and reporting: "Turkish Defacers"
Although, I found a lot of blogs about this matter on the web none of them seem to give a solution as to how would they gain access to the sites. Do you all have any recommendations? Thank you.
Yesterday, our web server was compromised by Turkish Hackers. They were able to deface (on a secondary page) all of them with a message showing the Turkish flag and reporting: "Turkish Defacers"
Although, I found a lot of blogs about this matter on the web none of them seem to give a solution as to how would they gain access to the sites. Do you all have any recommendations? Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Step #1: Backup the systems to CD/DVD/tape/whatever and store the backups somewhere safe. You'll need these if there is ever a prosecution.
Step #2: Backup the systems again and use this set of backups for your investigation. It may help to load
Step #3: Reload all the software on the compromised systems, plus all the latest and greatest patches.
Step #4: If you can't figure out how they broke into your system, hire someone who can. Most security consultancies have a forensics area.
Step #5: Once you figure it out, fix any remaining issues uncovered, inform appropriate authorities, or whatever else you need to do.
Step #2: Backup the systems again and use this set of backups for your investigation. It may help to load
Step #3: Reload all the software on the compromised systems, plus all the latest and greatest patches.
Step #4: If you can't figure out how they broke into your system, hire someone who can. Most security consultancies have a forensics area.
Step #5: Once you figure it out, fix any remaining issues uncovered, inform appropriate authorities, or whatever else you need to do.
Assuming you're running Windows, get MBSA from:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and run it view what security patches and other things you might be missing.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and run it view what security patches and other things you might be missing.
Check your logs for sure (/var/log/messages if on Linux) and look for strings like "ATTEMPT" or "intrusion". Also, since they already have access, check for the history of logins and commands that are being run -- you might be able to find out which user account they are using to exploit your network or which commands they've used to do so.
Check your firewall to make sure that your machine is protected (disabled unused services, etc..) and make sure that users are using secure passwords.
If you let us know what OS you are using we may be able to give more suggestions of ways to check your system and also specifically how to do some of the steps we've mentioned.