Solved

Hacked website

Posted on 2009-05-12
9
377 Views
Last Modified: 2013-11-30
I have become the sole Admin of a growing company that has had their web site hacked twice in the last month. The website is on a 2000 server at a remote location. I know very little about web sites so here are my questions.

How do I get notifications of failed attempts to access the website?

How do I stop the hacking?

I did find anonymous access enabled and I turned that off. Patches are up to date on the server and I have Trend Micro for and antivirus - no fire wall.
0
Comment
Question by:jimmylew52
  • 5
  • 4
9 Comments
 
LVL 4

Expert Comment

by:gilget
ID: 24367421
there is a various possibilites of attacks that one could run onto your server.

the range is from script attacks to brutoforcing services.

what you will need is a firewall that detects and stops basic attacks.
for the second part your gona have to check the code of your website, maybe it has outdated code that allows attackers to highjack the page.

can you give us a more exact description of how you been hacked?
got any firewall logs?
0
 
LVL 4

Expert Comment

by:gilget
ID: 24367559
you say your servers is located at a remote place, is it a serverhousing? if so, you might want to ask the provider for any firewall logs-
maybe they have a trace.
0
 
LVL 1

Author Comment

by:jimmylew52
ID: 24367929
Router logging has been disabled. The applications logs show a multitude of attempts to log in as root thru ssh. The web site logs do not show anything I can trace.

The server is in a NOC. They do not log anything to our site. The IP addresses are both traceable to china. Both the same provider.
0
 
LVL 4

Expert Comment

by:gilget
ID: 24368001
I guess they have brootforced your root password then.

You might want to reconsider using a stronger Password then.
something like: "My s3rv3r is just Aw3s0m3!"

hmm, I dont know about any freeware that does this, but any any half the way working firewall software should block IPs that are trying to bruteforce after some attempts.

At this moment, your problem is that those who have hacked you, still have access to your server, even if you change the password (cause they most likely have a keylogger installed now).

so what you would need to do is rebuild the server, with a strong password this time and with a good firewall-
^^ then dissalow all communications on all ports that you are not gona need.

you could also try and use some malware scanners to see if you find anything, but If they have done their job nicely, its gona be a hard one-


0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:jimmylew52
ID: 24368535
There is not a user "root" on the system. I don't think that is how he got in. I think he exsploited  HTTP.

No root kit has been found by the antivirus.
0
 
LVL 4

Expert Comment

by:gilget
ID: 24368607
in the log, you said you saw several attempts to login using ssh?
so I assume SSH is opened on your machine?

how much of time is between those login attempts? if its several hundert attempts with nearly no time in between, its bruteforcing.

if they exploited HTTP your gona have to go over your webcode ;/
0
 
LVL 1

Author Comment

by:jimmylew52
ID: 24369101
SSH is open and there were many (I did not count), very many attempts to do a brute force attack. I see no indication of a successful login by the brute force attack. I am looking into the ability of the antivirus/firewall to block failed attempt logins. Our passwords average 12 characters and are a good mix so cracking a password would be a long term project.

Web code is another dept. I will hand that over to them.
0
 
LVL 4

Accepted Solution

by:
gilget earned 500 total points
ID: 24369166
yeah. update that webcode.

if your 100% sure that there was no successful login (they might have deleted the record thought), then your not gona need to reset that box.
otherwise the suggestion would be a reset-rebuild.

what you also could do for a start, since you know where the bruteforce came from, you could simply block the hole provider range (as long as you have no customers sitting in that providers locations, wich may be possible for china.. ), that would help you for the first-

website hackers usually scan ip ranges for servers with vulnerability for certain script attacks, sadly lotsa of this stuff comes from asia and russia- ;/
0
 
LVL 1

Author Closing Comment

by:jimmylew52
ID: 31580654
Thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now