Hacked website

Posted on 2009-05-12
Last Modified: 2013-11-30
I have become the sole Admin of a growing company that has had their web site hacked twice in the last month. The website is on a 2000 server at a remote location. I know very little about web sites so here are my questions.

How do I get notifications of failed attempts to access the website?

How do I stop the hacking?

I did find anonymous access enabled and I turned that off. Patches are up to date on the server and I have Trend Micro for and antivirus - no fire wall.
Question by:jimmylew52
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Expert Comment

ID: 24367421
there is a various possibilites of attacks that one could run onto your server.

the range is from script attacks to brutoforcing services.

what you will need is a firewall that detects and stops basic attacks.
for the second part your gona have to check the code of your website, maybe it has outdated code that allows attackers to highjack the page.

can you give us a more exact description of how you been hacked?
got any firewall logs?

Expert Comment

ID: 24367559
you say your servers is located at a remote place, is it a serverhousing? if so, you might want to ask the provider for any firewall logs-
maybe they have a trace.

Author Comment

ID: 24367929
Router logging has been disabled. The applications logs show a multitude of attempts to log in as root thru ssh. The web site logs do not show anything I can trace.

The server is in a NOC. They do not log anything to our site. The IP addresses are both traceable to china. Both the same provider.
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.


Expert Comment

ID: 24368001
I guess they have brootforced your root password then.

You might want to reconsider using a stronger Password then.
something like: "My s3rv3r is just Aw3s0m3!"

hmm, I dont know about any freeware that does this, but any any half the way working firewall software should block IPs that are trying to bruteforce after some attempts.

At this moment, your problem is that those who have hacked you, still have access to your server, even if you change the password (cause they most likely have a keylogger installed now).

so what you would need to do is rebuild the server, with a strong password this time and with a good firewall-
^^ then dissalow all communications on all ports that you are not gona need.

you could also try and use some malware scanners to see if you find anything, but If they have done their job nicely, its gona be a hard one-


Author Comment

ID: 24368535
There is not a user "root" on the system. I don't think that is how he got in. I think he exsploited  HTTP.

No root kit has been found by the antivirus.

Expert Comment

ID: 24368607
in the log, you said you saw several attempts to login using ssh?
so I assume SSH is opened on your machine?

how much of time is between those login attempts? if its several hundert attempts with nearly no time in between, its bruteforcing.

if they exploited HTTP your gona have to go over your webcode ;/

Author Comment

ID: 24369101
SSH is open and there were many (I did not count), very many attempts to do a brute force attack. I see no indication of a successful login by the brute force attack. I am looking into the ability of the antivirus/firewall to block failed attempt logins. Our passwords average 12 characters and are a good mix so cracking a password would be a long term project.

Web code is another dept. I will hand that over to them.

Accepted Solution

gilget earned 500 total points
ID: 24369166
yeah. update that webcode.

if your 100% sure that there was no successful login (they might have deleted the record thought), then your not gona need to reset that box.
otherwise the suggestion would be a reset-rebuild.

what you also could do for a start, since you know where the bruteforce came from, you could simply block the hole provider range (as long as you have no customers sitting in that providers locations, wich may be possible for china.. ), that would help you for the first-

website hackers usually scan ip ranges for servers with vulnerability for certain script attacks, sadly lotsa of this stuff comes from asia and russia- ;/

Author Closing Comment

ID: 31580654

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question