Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Attempted hacking to site?

Posted on 2013-06-18
Medium Priority
Last Modified: 2013-06-19
Yesterday our zen cart site crashed due to lack of RAM.  We have never had this problem before (years) and upon looking at the stats there were the usually number of visitors and page views.

Concerned we did a little digging and emailed our host to tell them that we saw these urls accessed on our server for example:

They said those attempts happen all the time.

I asked them if they could see if there was a script that was running yesterday that was hogging the memory.  They said it was too late to check.

Also, last night we had 11 failed attempts to an email log-in, but strangely the IP Address was from the owners one man office.  I explained that to our host provider who said "It happened in the middle of the night for whatever reason, but unless someone was accessing that office in the middle of the night without your knowledge, or a hacker got into the office computer and tried to brute force the password, which is usually saved in your email client anyways, it was just a simple mistake, or a misconfigured device."

They seem to be unphased by all of this. I don't know what to do at this point. We are too nervous about it to let it go.  What steps should I take now?  What should I be looking for?

We have a managed VPS. I have access to the CPanel and can get access to the WHM.

Question by:christamcc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39257655
It looks like you were the victim of a scripted (script-kiddie) attack.  This does happen all the time and, if you stay up-to-date on your patches, it's usually innocuous.  If your host seems unfazed, this is why.  It's just a fact of life.

That said, if it looks like someone within your office was doing something after hours, it may be you have a machine that's been compromised.  You might want to scan any suspect machines for malware/rootkits to see if someone is using one or more machines as zombies.

Author Comment

ID: 39257758
Thanks for the info. Unfortunately, I'm not convinced that we are up to date, which is my biggest concern.  We need to update our Zen Cart to the most current, buts it's going to be at least a week until that happens. (It's a super customized cart, the updates take a while.)

Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?  Should I be looking somewhere for evidence of this?

Regarding the email, we'll scan his computer though he is the only person with a key to the office and it's in a different state than the brick and mortar store associated with the website.  All employees are in another state than him, including myself.  Any other thoughts there?
LVL 53

Assisted Solution

COBOLdinosaur earned 800 total points
ID: 39258097
If the machine is connected to the internet, then there is no need for physical access.  At some point a trojan could have been picked up and installed malicious software that is part of a botnet.  The machine needs to be scanned for malware and disconnected from both the internal network and the internet until you can be certain you have a clean machine.

As for the script kiddie attacks scan your access logs for the strange entries you found and see what IP address are being used. If you check the ip addresses you will generally find that they are listed on blacklists.  Then just block the c-level or even the b-level netblocks.  

OR... relax.  The idiots, spammers, and vandals are part of the experience of operating web sites.  Keep up to date and and follow good security practices.  Other than the single machine you have identified, I am not certain you have a real threat, and if you over-react, you will start doing thingsthat will limit access for your customers in an attempt to block jerks who are little more than an irritant.

LVL 34

Accepted Solution

Paul MacDonald earned 1200 total points
ID: 39259398
"Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?"
Don't think of it as running a script ON your site, think of it as running a script AGAINST your site.  The increased RAM usage may have been a response to an increased number of requests against the web site, executed very quickly.

"...though he is the only person with a key to the office ..."
A hacker doesn't need physical access to a machine to compromise it.  Clicking the wrong link, visiting the wrong page, etc, are vectors.

Author Comment

ID: 39260835
Relaxing is not an option (it's just not my personality lol), but not being reactionary is. ;) We might be more nervous than most because we WERE hacked a couple years ago and lost thousands of dollars of customer orders and hurt our reputation with our loyal customers.  We have since upgraded our server so we could whitelist IP Addresses for CPanel access.  In that case it started with "something doesn't seem right" also, so we like to make sure with these things.

Thanks for the information!

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question