Improve company productivity with a Business Account.Sign Up


Attempted hacking to site?

Posted on 2013-06-18
Medium Priority
Last Modified: 2013-06-19
Yesterday our zen cart site crashed due to lack of RAM.  We have never had this problem before (years) and upon looking at the stats there were the usually number of visitors and page views.

Concerned we did a little digging and emailed our host to tell them that we saw these urls accessed on our server for example:

They said those attempts happen all the time.

I asked them if they could see if there was a script that was running yesterday that was hogging the memory.  They said it was too late to check.

Also, last night we had 11 failed attempts to an email log-in, but strangely the IP Address was from the owners one man office.  I explained that to our host provider who said "It happened in the middle of the night for whatever reason, but unless someone was accessing that office in the middle of the night without your knowledge, or a hacker got into the office computer and tried to brute force the password, which is usually saved in your email client anyways, it was just a simple mistake, or a misconfigured device."

They seem to be unphased by all of this. I don't know what to do at this point. We are too nervous about it to let it go.  What steps should I take now?  What should I be looking for?

We have a managed VPS. I have access to the CPanel and can get access to the WHM.

Question by:christamcc
  • 2
  • 2
LVL 35

Expert Comment

by:Paul MacDonald
ID: 39257655
It looks like you were the victim of a scripted (script-kiddie) attack.  This does happen all the time and, if you stay up-to-date on your patches, it's usually innocuous.  If your host seems unfazed, this is why.  It's just a fact of life.

That said, if it looks like someone within your office was doing something after hours, it may be you have a machine that's been compromised.  You might want to scan any suspect machines for malware/rootkits to see if someone is using one or more machines as zombies.

Author Comment

ID: 39257758
Thanks for the info. Unfortunately, I'm not convinced that we are up to date, which is my biggest concern.  We need to update our Zen Cart to the most current, buts it's going to be at least a week until that happens. (It's a super customized cart, the updates take a while.)

Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?  Should I be looking somewhere for evidence of this?

Regarding the email, we'll scan his computer though he is the only person with a key to the office and it's in a different state than the brick and mortar store associated with the website.  All employees are in another state than him, including myself.  Any other thoughts there?
LVL 53

Assisted Solution

COBOLdinosaur earned 800 total points
ID: 39258097
If the machine is connected to the internet, then there is no need for physical access.  At some point a trojan could have been picked up and installed malicious software that is part of a botnet.  The machine needs to be scanned for malware and disconnected from both the internal network and the internet until you can be certain you have a clean machine.

As for the script kiddie attacks scan your access logs for the strange entries you found and see what IP address are being used. If you check the ip addresses you will generally find that they are listed on blacklists.  Then just block the c-level or even the b-level netblocks.  

OR... relax.  The idiots, spammers, and vandals are part of the experience of operating web sites.  Keep up to date and and follow good security practices.  Other than the single machine you have identified, I am not certain you have a real threat, and if you over-react, you will start doing thingsthat will limit access for your customers in an attempt to block jerks who are little more than an irritant.

LVL 35

Accepted Solution

Paul MacDonald earned 1200 total points
ID: 39259398
"Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?"
Don't think of it as running a script ON your site, think of it as running a script AGAINST your site.  The increased RAM usage may have been a response to an increased number of requests against the web site, executed very quickly.

"...though he is the only person with a key to the office ..."
A hacker doesn't need physical access to a machine to compromise it.  Clicking the wrong link, visiting the wrong page, etc, are vectors.

Author Comment

ID: 39260835
Relaxing is not an option (it's just not my personality lol), but not being reactionary is. ;) We might be more nervous than most because we WERE hacked a couple years ago and lost thousands of dollars of customer orders and hurt our reputation with our loyal customers.  We have since upgraded our server so we could whitelist IP Addresses for CPanel access.  In that case it started with "something doesn't seem right" also, so we like to make sure with these things.

Thanks for the information!

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affec…
The intent of this article is not to tell you what solution to use (you know it better) or make a big bang change to your current regime (you are well aware of), but to share how the regime can be better and effective in streamlining the multiple pa…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question