?
Solved

Hacked website

Posted on 2009-05-12
9
Medium Priority
?
403 Views
Last Modified: 2013-11-30
I have become the sole Admin of a growing company that has had their web site hacked twice in the last month. The website is on a 2000 server at a remote location. I know very little about web sites so here are my questions.

How do I get notifications of failed attempts to access the website?

How do I stop the hacking?

I did find anonymous access enabled and I turned that off. Patches are up to date on the server and I have Trend Micro for and antivirus - no fire wall.
0
Comment
Question by:jimmylew52
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 4

Expert Comment

by:gilget
ID: 24367421
there is a various possibilites of attacks that one could run onto your server.

the range is from script attacks to brutoforcing services.

what you will need is a firewall that detects and stops basic attacks.
for the second part your gona have to check the code of your website, maybe it has outdated code that allows attackers to highjack the page.

can you give us a more exact description of how you been hacked?
got any firewall logs?
0
 
LVL 4

Expert Comment

by:gilget
ID: 24367559
you say your servers is located at a remote place, is it a serverhousing? if so, you might want to ask the provider for any firewall logs-
maybe they have a trace.
0
 
LVL 1

Author Comment

by:jimmylew52
ID: 24367929
Router logging has been disabled. The applications logs show a multitude of attempts to log in as root thru ssh. The web site logs do not show anything I can trace.

The server is in a NOC. They do not log anything to our site. The IP addresses are both traceable to china. Both the same provider.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 4

Expert Comment

by:gilget
ID: 24368001
I guess they have brootforced your root password then.

You might want to reconsider using a stronger Password then.
something like: "My s3rv3r is just Aw3s0m3!"

hmm, I dont know about any freeware that does this, but any any half the way working firewall software should block IPs that are trying to bruteforce after some attempts.

At this moment, your problem is that those who have hacked you, still have access to your server, even if you change the password (cause they most likely have a keylogger installed now).

so what you would need to do is rebuild the server, with a strong password this time and with a good firewall-
^^ then dissalow all communications on all ports that you are not gona need.

you could also try and use some malware scanners to see if you find anything, but If they have done their job nicely, its gona be a hard one-


0
 
LVL 1

Author Comment

by:jimmylew52
ID: 24368535
There is not a user "root" on the system. I don't think that is how he got in. I think he exsploited  HTTP.

No root kit has been found by the antivirus.
0
 
LVL 4

Expert Comment

by:gilget
ID: 24368607
in the log, you said you saw several attempts to login using ssh?
so I assume SSH is opened on your machine?

how much of time is between those login attempts? if its several hundert attempts with nearly no time in between, its bruteforcing.

if they exploited HTTP your gona have to go over your webcode ;/
0
 
LVL 1

Author Comment

by:jimmylew52
ID: 24369101
SSH is open and there were many (I did not count), very many attempts to do a brute force attack. I see no indication of a successful login by the brute force attack. I am looking into the ability of the antivirus/firewall to block failed attempt logins. Our passwords average 12 characters and are a good mix so cracking a password would be a long term project.

Web code is another dept. I will hand that over to them.
0
 
LVL 4

Accepted Solution

by:
gilget earned 2000 total points
ID: 24369166
yeah. update that webcode.

if your 100% sure that there was no successful login (they might have deleted the record thought), then your not gona need to reset that box.
otherwise the suggestion would be a reset-rebuild.

what you also could do for a start, since you know where the bruteforce came from, you could simply block the hole provider range (as long as you have no customers sitting in that providers locations, wich may be possible for china.. ), that would help you for the first-

website hackers usually scan ip ranges for servers with vulnerability for certain script attacks, sadly lotsa of this stuff comes from asia and russia- ;/
0
 
LVL 1

Author Closing Comment

by:jimmylew52
ID: 31580654
Thanks
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question