Hacked website

I have become the sole Admin of a growing company that has had their web site hacked twice in the last month. The website is on a 2000 server at a remote location. I know very little about web sites so here are my questions.

How do I get notifications of failed attempts to access the website?

How do I stop the hacking?

I did find anonymous access enabled and I turned that off. Patches are up to date on the server and I have Trend Micro for and antivirus - no fire wall.
Who is Participating?
yeah. update that webcode.

if your 100% sure that there was no successful login (they might have deleted the record thought), then your not gona need to reset that box.
otherwise the suggestion would be a reset-rebuild.

what you also could do for a start, since you know where the bruteforce came from, you could simply block the hole provider range (as long as you have no customers sitting in that providers locations, wich may be possible for china.. ), that would help you for the first-

website hackers usually scan ip ranges for servers with vulnerability for certain script attacks, sadly lotsa of this stuff comes from asia and russia- ;/
there is a various possibilites of attacks that one could run onto your server.

the range is from script attacks to brutoforcing services.

what you will need is a firewall that detects and stops basic attacks.
for the second part your gona have to check the code of your website, maybe it has outdated code that allows attackers to highjack the page.

can you give us a more exact description of how you been hacked?
got any firewall logs?
you say your servers is located at a remote place, is it a serverhousing? if so, you might want to ask the provider for any firewall logs-
maybe they have a trace.
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

jimmylew52Author Commented:
Router logging has been disabled. The applications logs show a multitude of attempts to log in as root thru ssh. The web site logs do not show anything I can trace.

The server is in a NOC. They do not log anything to our site. The IP addresses are both traceable to china. Both the same provider.
I guess they have brootforced your root password then.

You might want to reconsider using a stronger Password then.
something like: "My s3rv3r is just Aw3s0m3!"

hmm, I dont know about any freeware that does this, but any any half the way working firewall software should block IPs that are trying to bruteforce after some attempts.

At this moment, your problem is that those who have hacked you, still have access to your server, even if you change the password (cause they most likely have a keylogger installed now).

so what you would need to do is rebuild the server, with a strong password this time and with a good firewall-
^^ then dissalow all communications on all ports that you are not gona need.

you could also try and use some malware scanners to see if you find anything, but If they have done their job nicely, its gona be a hard one-

jimmylew52Author Commented:
There is not a user "root" on the system. I don't think that is how he got in. I think he exsploited  HTTP.

No root kit has been found by the antivirus.
in the log, you said you saw several attempts to login using ssh?
so I assume SSH is opened on your machine?

how much of time is between those login attempts? if its several hundert attempts with nearly no time in between, its bruteforcing.

if they exploited HTTP your gona have to go over your webcode ;/
jimmylew52Author Commented:
SSH is open and there were many (I did not count), very many attempts to do a brute force attack. I see no indication of a successful login by the brute force attack. I am looking into the ability of the antivirus/firewall to block failed attempt logins. Our passwords average 12 characters and are a good mix so cracking a password would be a long term project.

Web code is another dept. I will hand that over to them.
jimmylew52Author Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.