Hacked website

Posted on 2009-05-12
Last Modified: 2013-11-30
I have become the sole Admin of a growing company that has had their web site hacked twice in the last month. The website is on a 2000 server at a remote location. I know very little about web sites so here are my questions.

How do I get notifications of failed attempts to access the website?

How do I stop the hacking?

I did find anonymous access enabled and I turned that off. Patches are up to date on the server and I have Trend Micro for and antivirus - no fire wall.
Question by:jimmylew52
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Expert Comment

ID: 24367421
there is a various possibilites of attacks that one could run onto your server.

the range is from script attacks to brutoforcing services.

what you will need is a firewall that detects and stops basic attacks.
for the second part your gona have to check the code of your website, maybe it has outdated code that allows attackers to highjack the page.

can you give us a more exact description of how you been hacked?
got any firewall logs?

Expert Comment

ID: 24367559
you say your servers is located at a remote place, is it a serverhousing? if so, you might want to ask the provider for any firewall logs-
maybe they have a trace.

Author Comment

ID: 24367929
Router logging has been disabled. The applications logs show a multitude of attempts to log in as root thru ssh. The web site logs do not show anything I can trace.

The server is in a NOC. They do not log anything to our site. The IP addresses are both traceable to china. Both the same provider.
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.


Expert Comment

ID: 24368001
I guess they have brootforced your root password then.

You might want to reconsider using a stronger Password then.
something like: "My s3rv3r is just Aw3s0m3!"

hmm, I dont know about any freeware that does this, but any any half the way working firewall software should block IPs that are trying to bruteforce after some attempts.

At this moment, your problem is that those who have hacked you, still have access to your server, even if you change the password (cause they most likely have a keylogger installed now).

so what you would need to do is rebuild the server, with a strong password this time and with a good firewall-
^^ then dissalow all communications on all ports that you are not gona need.

you could also try and use some malware scanners to see if you find anything, but If they have done their job nicely, its gona be a hard one-


Author Comment

ID: 24368535
There is not a user "root" on the system. I don't think that is how he got in. I think he exsploited  HTTP.

No root kit has been found by the antivirus.

Expert Comment

ID: 24368607
in the log, you said you saw several attempts to login using ssh?
so I assume SSH is opened on your machine?

how much of time is between those login attempts? if its several hundert attempts with nearly no time in between, its bruteforcing.

if they exploited HTTP your gona have to go over your webcode ;/

Author Comment

ID: 24369101
SSH is open and there were many (I did not count), very many attempts to do a brute force attack. I see no indication of a successful login by the brute force attack. I am looking into the ability of the antivirus/firewall to block failed attempt logins. Our passwords average 12 characters and are a good mix so cracking a password would be a long term project.

Web code is another dept. I will hand that over to them.

Accepted Solution

gilget earned 500 total points
ID: 24369166
yeah. update that webcode.

if your 100% sure that there was no successful login (they might have deleted the record thought), then your not gona need to reset that box.
otherwise the suggestion would be a reset-rebuild.

what you also could do for a start, since you know where the bruteforce came from, you could simply block the hole provider range (as long as you have no customers sitting in that providers locations, wich may be possible for china.. ), that would help you for the first-

website hackers usually scan ip ranges for servers with vulnerability for certain script attacks, sadly lotsa of this stuff comes from asia and russia- ;/

Author Closing Comment

ID: 31580654

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question