Hacked Linux Box

Posted on 2010-01-03
Medium Priority
Last Modified: 2013-12-06
I have a website running on Fedora and it seems that it was hacked by  "Bordobereliler"  I am trying to reboot the machine and not its not responding. Has anyone seen this?  I cannot reboot the server. It just hangs. It is a VM Linux server.

Question by:j556x45
  • 2
LVL 12

Expert Comment

ID: 26168866
Hi there;

Is there any snapshots in your VM? Could you revert it?

Are you using VMWare or VirtualBox or any other?

Is it possible to ping to the server?

Could you give me more information regarding BordoBereliler, another nick like 1923TURKGRUP. I mean they are obviously from Turkey (that I am too, and read Turkish) so that I can investigate that too and their style and we can find a way to solve it.

Best regards and sorry for the incident.

Author Comment

ID: 26168911
I just reverted back to a snapshot. This looked like the best thing to do. Unfortunately, the snapshot removed did not include a lot of the recent updates and now must be created. I am now curious how I can harden this more to prevent this. Do you have any information on what they used to exploit?

Thank you for the quick reply!
LVL 35

Accepted Solution

torimar earned 1000 total points
ID: 26168987
There are two things that I'd like to point your attention to:

1. In the absolute majority of cases webserver defacement is performed via the exploitation of security flaws in web applications running on the server. This also applies to the so-called "Turkish hackers" who mostly are gangs of script-kiddies that like to brag about their exploits.
Hence if you are running advanced web applications like portal software/CMS, forum, wiki, blog or even e-shop on your server, make sure they are patched to the newest version. The more popular a software is, the sooner it should be updated and the better it should be kept up-to-date. So begin with vBulletin, phpBB, joomla, Wordpress etc.
Even if in the present case they managed to make your server freeze and unresponsive, I should still consider this to have been done using well known security exploits in the web applications rather than the server OS/software.

2. Speaking of server OS: Fedora isn't really the ideal server in my eyes because of its very vivid release cycle and very restricted update policy. It's your choice either to make sure that you are running one of the two latest versions (11 or 12), or, if you can't be bothered to upgrade your OS every couple of months, to start using CentOS instead for serving your pages. There has been a warning that you should not ignore.
LVL 12

Assisted Solution

jazzIIIlove earned 1000 total points
ID: 26169102
Hi there;

If it's php based website, use magic quotes.

Also change all the passwords since majorily those noobs guess passwords or prepare dictionaries accordingly.

Have your folder/files permission as 644, if some are to be executed, give only them 655.

Best regards.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses
Course of the Month17 days, 11 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question