• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 545
  • Last Modified:

Attempted hacking to site?

Yesterday our zen cart site crashed due to lack of RAM.  We have never had this problem before (years) and upon looking at the stats there were the usually number of visitors and page views.

Concerned we did a little digging and emailed our host to tell them that we saw these urls accessed on our server for example:

They said those attempts happen all the time.

I asked them if they could see if there was a script that was running yesterday that was hogging the memory.  They said it was too late to check.

Also, last night we had 11 failed attempts to an email log-in, but strangely the IP Address was from the owners one man office.  I explained that to our host provider who said "It happened in the middle of the night for whatever reason, but unless someone was accessing that office in the middle of the night without your knowledge, or a hacker got into the office computer and tried to brute force the password, which is usually saved in your email client anyways, it was just a simple mistake, or a misconfigured device."

They seem to be unphased by all of this. I don't know what to do at this point. We are too nervous about it to let it go.  What steps should I take now?  What should I be looking for?

We have a managed VPS. I have access to the CPanel and can get access to the WHM.

  • 2
  • 2
2 Solutions
Paul MacDonaldDirector, Information SystemsCommented:
It looks like you were the victim of a scripted (script-kiddie) attack.  This does happen all the time and, if you stay up-to-date on your patches, it's usually innocuous.  If your host seems unfazed, this is why.  It's just a fact of life.

That said, if it looks like someone within your office was doing something after hours, it may be you have a machine that's been compromised.  You might want to scan any suspect machines for malware/rootkits to see if someone is using one or more machines as zombies.
christamccAuthor Commented:
Thanks for the info. Unfortunately, I'm not convinced that we are up to date, which is my biggest concern.  We need to update our Zen Cart to the most current, buts it's going to be at least a week until that happens. (It's a super customized cart, the updates take a while.)

Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?  Should I be looking somewhere for evidence of this?

Regarding the email, we'll scan his computer though he is the only person with a key to the office and it's in a different state than the brick and mortar store associated with the website.  All employees are in another state than him, including myself.  Any other thoughts there?
If the machine is connected to the internet, then there is no need for physical access.  At some point a trojan could have been picked up and installed malicious software that is part of a botnet.  The machine needs to be scanned for malware and disconnected from both the internal network and the internet until you can be certain you have a clean machine.

As for the script kiddie attacks scan your access logs for the strange entries you found and see what IP address are being used. If you check the ip addresses you will generally find that they are listed on blacklists.  Then just block the c-level or even the b-level netblocks.  

OR... relax.  The idiots, spammers, and vandals are part of the experience of operating web sites.  Keep up to date and and follow good security practices.  Other than the single machine you have identified, I am not certain you have a real threat, and if you over-react, you will start doing thingsthat will limit access for your customers in an attempt to block jerks who are little more than an irritant.

Paul MacDonaldDirector, Information SystemsCommented:
"Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?"
Don't think of it as running a script ON your site, think of it as running a script AGAINST your site.  The increased RAM usage may have been a response to an increased number of requests against the web site, executed very quickly.

"...though he is the only person with a key to the office ..."
A hacker doesn't need physical access to a machine to compromise it.  Clicking the wrong link, visiting the wrong page, etc, are vectors.
christamccAuthor Commented:
Relaxing is not an option (it's just not my personality lol), but not being reactionary is. ;) We might be more nervous than most because we WERE hacked a couple years ago and lost thousands of dollars of customer orders and hurt our reputation with our loyal customers.  We have since upgraded our server so we could whitelist IP Addresses for CPanel access.  In that case it started with "something doesn't seem right" also, so we like to make sure with these things.

Thanks for the information!

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now