Hacked Linux Box

Posted on 2010-01-03
Last Modified: 2013-12-06
I have a website running on Fedora and it seems that it was hacked by  "Bordobereliler"  I am trying to reboot the machine and not its not responding. Has anyone seen this?  I cannot reboot the server. It just hangs. It is a VM Linux server.

Question by:j556x45
    LVL 12

    Expert Comment

    Hi there;

    Is there any snapshots in your VM? Could you revert it?

    Are you using VMWare or VirtualBox or any other?

    Is it possible to ping to the server?

    Could you give me more information regarding BordoBereliler, another nick like 1923TURKGRUP. I mean they are obviously from Turkey (that I am too, and read Turkish) so that I can investigate that too and their style and we can find a way to solve it.

    Best regards and sorry for the incident.

    Author Comment

    I just reverted back to a snapshot. This looked like the best thing to do. Unfortunately, the snapshot removed did not include a lot of the recent updates and now must be created. I am now curious how I can harden this more to prevent this. Do you have any information on what they used to exploit?

    Thank you for the quick reply!
    LVL 35

    Accepted Solution

    There are two things that I'd like to point your attention to:

    1. In the absolute majority of cases webserver defacement is performed via the exploitation of security flaws in web applications running on the server. This also applies to the so-called "Turkish hackers" who mostly are gangs of script-kiddies that like to brag about their exploits.
    Hence if you are running advanced web applications like portal software/CMS, forum, wiki, blog or even e-shop on your server, make sure they are patched to the newest version. The more popular a software is, the sooner it should be updated and the better it should be kept up-to-date. So begin with vBulletin, phpBB, joomla, Wordpress etc.
    Even if in the present case they managed to make your server freeze and unresponsive, I should still consider this to have been done using well known security exploits in the web applications rather than the server OS/software.

    2. Speaking of server OS: Fedora isn't really the ideal server in my eyes because of its very vivid release cycle and very restricted update policy. It's your choice either to make sure that you are running one of the two latest versions (11 or 12), or, if you can't be bothered to upgrade your OS every couple of months, to start using CentOS instead for serving your pages. There has been a warning that you should not ignore.
    LVL 12

    Assisted Solution

    Hi there;

    If it's php based website, use magic quotes.

    Also change all the passwords since majorily those noobs guess passwords or prepare dictionaries accordingly.

    Have your folder/files permission as 644, if some are to be executed, give only them 655.

    Best regards.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
    It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now