Web Server Hacked

Posted on 2006-06-05
Medium Priority
Last Modified: 2010-04-11
Hi all,

Yesterday, our web server was compromised by Turkish Hackers.   They were able to deface (on a secondary page) all of them with a message showing the Turkish flag and reporting: "Turkish Defacers"  

Although, I found a lot of blogs about this matter on the web none of them seem to give a solution as to how would they gain access to the sites.  Do you all have any recommendations?  Thank you.  
Question by:bengoa
LVL 13

Accepted Solution

prashsax earned 1500 total points
ID: 16834429
My first question would be which Web Server are you using?

You need to look in the logs of the web server. They could have exploited some vulnerability in your Web servers service running on port 80, and were able to access the root.

If you are using Windows, then event logs and IIS logs will give you a very good picture of what they did and which service was compromised.

First you backup your event logs in windows, so that they should not be lost.

Then, you need to start looking each entry one by one. Start from 2-3 days before the actual hack took place. Hackers generally first test thier target before doing actual break in.

See, if some service was overloaded. Look what kind of HTTP requests were send to your web server.

Only more possible way to intrude is to compromise any other service running on same server or any other server in same subnet.

Do you have any other server running FTP, SMTP, POP3 etc.

What kind of firewall you have in place. One thing you can be sure of, that they use a port which are open on firewall.
So you need to check each and every place which is opened for public access.

One more thing could be possible, Someone inside your network accidently installed a trojan on his machine and then this machine was controlled by the hackers. In this case they can do whatever they want without actually coming inside your network. They could have directed the zombie machine to carry out their tasks.

See, if you can find some IP address or URL which was accessed frequently. This could be an indication of a zombie machine trying to connect to their controller.

Doing this kind of analysis is a time consuming task.

Expert Comment

ID: 16834664
A lot of times they will scan networks for any other services running on the machine (like SSH for example) and then guess username/password combinations to find poorly set passwords and gain access.  If they can get in through SSH then they can often manipulate your webpages from there.

Check your logs for sure (/var/log/messages if on Linux) and look for strings like "ATTEMPT" or "intrusion".  Also, since they already have access, check for the history of logins and commands that are being run -- you might be able to find out which user account they are using to exploit your network or which commands they've used to do so.

Check your firewall to make sure that your machine is protected (disabled unused services, etc..) and make sure that users are using secure passwords.

If you let us know what OS you are using we may be able to give more suggestions of ways to check your system and also specifically how to do some of the steps we've mentioned.
LVL 14

Expert Comment

ID: 16834734
Step #1: Backup the systems to CD/DVD/tape/whatever and store the backups somewhere safe. You'll need these if there is ever a prosecution.

Step #2: Backup the systems again and use this set of backups for your investigation. It may help to load

Step #3: Reload all the software on the compromised systems, plus all the latest and greatest patches.

Step #4: If you can't figure out how they broke into your system, hire someone who can. Most security consultancies have a forensics area.

Step #5: Once you figure it out, fix any remaining issues uncovered, inform appropriate authorities, or whatever else you need to do.
LVL 32

Expert Comment

ID: 16835091
Assuming you're running Windows, get MBSA from:


and run it view what security patches and other things you might be missing.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question