Web Server Hacked

Hi all,

Yesterday, our web server was compromised by Turkish Hackers.   They were able to deface (on a secondary page) all of them with a message showing the Turkish flag and reporting: "Turkish Defacers"  

Although, I found a lot of blogs about this matter on the web none of them seem to give a solution as to how would they gain access to the sites.  Do you all have any recommendations?  Thank you.  
Who is Participating?
My first question would be which Web Server are you using?

You need to look in the logs of the web server. They could have exploited some vulnerability in your Web servers service running on port 80, and were able to access the root.

If you are using Windows, then event logs and IIS logs will give you a very good picture of what they did and which service was compromised.

First you backup your event logs in windows, so that they should not be lost.

Then, you need to start looking each entry one by one. Start from 2-3 days before the actual hack took place. Hackers generally first test thier target before doing actual break in.

See, if some service was overloaded. Look what kind of HTTP requests were send to your web server.

Only more possible way to intrude is to compromise any other service running on same server or any other server in same subnet.

Do you have any other server running FTP, SMTP, POP3 etc.

What kind of firewall you have in place. One thing you can be sure of, that they use a port which are open on firewall.
So you need to check each and every place which is opened for public access.

One more thing could be possible, Someone inside your network accidently installed a trojan on his machine and then this machine was controlled by the hackers. In this case they can do whatever they want without actually coming inside your network. They could have directed the zombie machine to carry out their tasks.

See, if you can find some IP address or URL which was accessed frequently. This could be an indication of a zombie machine trying to connect to their controller.

Doing this kind of analysis is a time consuming task.
A lot of times they will scan networks for any other services running on the machine (like SSH for example) and then guess username/password combinations to find poorly set passwords and gain access.  If they can get in through SSH then they can often manipulate your webpages from there.

Check your logs for sure (/var/log/messages if on Linux) and look for strings like "ATTEMPT" or "intrusion".  Also, since they already have access, check for the history of logins and commands that are being run -- you might be able to find out which user account they are using to exploit your network or which commands they've used to do so.

Check your firewall to make sure that your machine is protected (disabled unused services, etc..) and make sure that users are using secure passwords.

If you let us know what OS you are using we may be able to give more suggestions of ways to check your system and also specifically how to do some of the steps we've mentioned.
Step #1: Backup the systems to CD/DVD/tape/whatever and store the backups somewhere safe. You'll need these if there is ever a prosecution.

Step #2: Backup the systems again and use this set of backups for your investigation. It may help to load

Step #3: Reload all the software on the compromised systems, plus all the latest and greatest patches.

Step #4: If you can't figure out how they broke into your system, hire someone who can. Most security consultancies have a forensics area.

Step #5: Once you figure it out, fix any remaining issues uncovered, inform appropriate authorities, or whatever else you need to do.
Assuming you're running Windows, get MBSA from:


and run it view what security patches and other things you might be missing.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.