Web Server Hacked

Posted on 2006-06-05
Last Modified: 2010-04-11
Hi all,

Yesterday, our web server was compromised by Turkish Hackers.   They were able to deface (on a secondary page) all of them with a message showing the Turkish flag and reporting: "Turkish Defacers"  

Although, I found a lot of blogs about this matter on the web none of them seem to give a solution as to how would they gain access to the sites.  Do you all have any recommendations?  Thank you.  
Question by:bengoa
    LVL 13

    Accepted Solution

    My first question would be which Web Server are you using?

    You need to look in the logs of the web server. They could have exploited some vulnerability in your Web servers service running on port 80, and were able to access the root.

    If you are using Windows, then event logs and IIS logs will give you a very good picture of what they did and which service was compromised.

    First you backup your event logs in windows, so that they should not be lost.

    Then, you need to start looking each entry one by one. Start from 2-3 days before the actual hack took place. Hackers generally first test thier target before doing actual break in.

    See, if some service was overloaded. Look what kind of HTTP requests were send to your web server.

    Only more possible way to intrude is to compromise any other service running on same server or any other server in same subnet.

    Do you have any other server running FTP, SMTP, POP3 etc.

    What kind of firewall you have in place. One thing you can be sure of, that they use a port which are open on firewall.
    So you need to check each and every place which is opened for public access.

    One more thing could be possible, Someone inside your network accidently installed a trojan on his machine and then this machine was controlled by the hackers. In this case they can do whatever they want without actually coming inside your network. They could have directed the zombie machine to carry out their tasks.

    See, if you can find some IP address or URL which was accessed frequently. This could be an indication of a zombie machine trying to connect to their controller.

    Doing this kind of analysis is a time consuming task.
    LVL 8

    Expert Comment

    A lot of times they will scan networks for any other services running on the machine (like SSH for example) and then guess username/password combinations to find poorly set passwords and gain access.  If they can get in through SSH then they can often manipulate your webpages from there.

    Check your logs for sure (/var/log/messages if on Linux) and look for strings like "ATTEMPT" or "intrusion".  Also, since they already have access, check for the history of logins and commands that are being run -- you might be able to find out which user account they are using to exploit your network or which commands they've used to do so.

    Check your firewall to make sure that your machine is protected (disabled unused services, etc..) and make sure that users are using secure passwords.

    If you let us know what OS you are using we may be able to give more suggestions of ways to check your system and also specifically how to do some of the steps we've mentioned.
    LVL 14

    Expert Comment

    Step #1: Backup the systems to CD/DVD/tape/whatever and store the backups somewhere safe. You'll need these if there is ever a prosecution.

    Step #2: Backup the systems again and use this set of backups for your investigation. It may help to load

    Step #3: Reload all the software on the compromised systems, plus all the latest and greatest patches.

    Step #4: If you can't figure out how they broke into your system, hire someone who can. Most security consultancies have a forensics area.

    Step #5: Once you figure it out, fix any remaining issues uncovered, inform appropriate authorities, or whatever else you need to do.
    LVL 32

    Expert Comment

    Assuming you're running Windows, get MBSA from:

    and run it view what security patches and other things you might be missing.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now