Attempted hacking to site?

Posted on 2013-06-18
Last Modified: 2013-06-19
Yesterday our zen cart site crashed due to lack of RAM.  We have never had this problem before (years) and upon looking at the stats there were the usually number of visitors and page views.

Concerned we did a little digging and emailed our host to tell them that we saw these urls accessed on our server for example:

They said those attempts happen all the time.

I asked them if they could see if there was a script that was running yesterday that was hogging the memory.  They said it was too late to check.

Also, last night we had 11 failed attempts to an email log-in, but strangely the IP Address was from the owners one man office.  I explained that to our host provider who said "It happened in the middle of the night for whatever reason, but unless someone was accessing that office in the middle of the night without your knowledge, or a hacker got into the office computer and tried to brute force the password, which is usually saved in your email client anyways, it was just a simple mistake, or a misconfigured device."

They seem to be unphased by all of this. I don't know what to do at this point. We are too nervous about it to let it go.  What steps should I take now?  What should I be looking for?

We have a managed VPS. I have access to the CPanel and can get access to the WHM.

Question by:christamcc
  • 2
  • 2
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39257655
It looks like you were the victim of a scripted (script-kiddie) attack.  This does happen all the time and, if you stay up-to-date on your patches, it's usually innocuous.  If your host seems unfazed, this is why.  It's just a fact of life.

That said, if it looks like someone within your office was doing something after hours, it may be you have a machine that's been compromised.  You might want to scan any suspect machines for malware/rootkits to see if someone is using one or more machines as zombies.

Author Comment

ID: 39257758
Thanks for the info. Unfortunately, I'm not convinced that we are up to date, which is my biggest concern.  We need to update our Zen Cart to the most current, buts it's going to be at least a week until that happens. (It's a super customized cart, the updates take a while.)

Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?  Should I be looking somewhere for evidence of this?

Regarding the email, we'll scan his computer though he is the only person with a key to the office and it's in a different state than the brick and mortar store associated with the website.  All employees are in another state than him, including myself.  Any other thoughts there?
LVL 53

Assisted Solution

COBOLdinosaur earned 200 total points
ID: 39258097
If the machine is connected to the internet, then there is no need for physical access.  At some point a trojan could have been picked up and installed malicious software that is part of a botnet.  The machine needs to be scanned for malware and disconnected from both the internal network and the internet until you can be certain you have a clean machine.

As for the script kiddie attacks scan your access logs for the strange entries you found and see what IP address are being used. If you check the ip addresses you will generally find that they are listed on blacklists.  Then just block the c-level or even the b-level netblocks.  

OR... relax.  The idiots, spammers, and vandals are part of the experience of operating web sites.  Keep up to date and and follow good security practices.  Other than the single machine you have identified, I am not certain you have a real threat, and if you over-react, you will start doing thingsthat will limit access for your customers in an attempt to block jerks who are little more than an irritant.

LVL 34

Accepted Solution

Paul MacDonald earned 300 total points
ID: 39259398
"Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?"
Don't think of it as running a script ON your site, think of it as running a script AGAINST your site.  The increased RAM usage may have been a response to an increased number of requests against the web site, executed very quickly.

"...though he is the only person with a key to the office ..."
A hacker doesn't need physical access to a machine to compromise it.  Clicking the wrong link, visiting the wrong page, etc, are vectors.

Author Comment

ID: 39260835
Relaxing is not an option (it's just not my personality lol), but not being reactionary is. ;) We might be more nervous than most because we WERE hacked a couple years ago and lost thousands of dollars of customer orders and hurt our reputation with our loyal customers.  We have since upgraded our server so we could whitelist IP Addresses for CPanel access.  In that case it started with "something doesn't seem right" also, so we like to make sure with these things.

Thanks for the information!

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question