Solved

Attempted hacking to site?

Posted on 2013-06-18
5
518 Views
Last Modified: 2013-06-19
Yesterday our zen cart site crashed due to lack of RAM.  We have never had this problem before (years) and upon looking at the stats there were the usually number of visitors and page views.

Concerned we did a little digging and emailed our host to tell them that we saw these urls accessed on our server for example:
/cgi-sys/FormMail.cgi
/cgi-sys/formmail.pl
/%2e/
/./
*
/cgi-sys/FormMail-clone.cgi
/index.php/123
/index.php/\\\"><script><script>alert(document.co...

They said those attempts happen all the time.

I asked them if they could see if there was a script that was running yesterday that was hogging the memory.  They said it was too late to check.

Also, last night we had 11 failed attempts to an email log-in, but strangely the IP Address was from the owners one man office.  I explained that to our host provider who said "It happened in the middle of the night for whatever reason, but unless someone was accessing that office in the middle of the night without your knowledge, or a hacker got into the office computer and tried to brute force the password, which is usually saved in your email client anyways, it was just a simple mistake, or a misconfigured device."

They seem to be unphased by all of this. I don't know what to do at this point. We are too nervous about it to let it go.  What steps should I take now?  What should I be looking for?

We have a managed VPS. I have access to the CPanel and can get access to the WHM.

Thanks!
0
Comment
Question by:christamcc
  • 2
  • 2
5 Comments
 
LVL 33

Expert Comment

by:paulmacd
ID: 39257655
It looks like you were the victim of a scripted (script-kiddie) attack.  This does happen all the time and, if you stay up-to-date on your patches, it's usually innocuous.  If your host seems unfazed, this is why.  It's just a fact of life.

That said, if it looks like someone within your office was doing something after hours, it may be you have a machine that's been compromised.  You might want to scan any suspect machines for malware/rootkits to see if someone is using one or more machines as zombies.
0
 

Author Comment

by:christamcc
ID: 39257758
Thanks for the info. Unfortunately, I'm not convinced that we are up to date, which is my biggest concern.  We need to update our Zen Cart to the most current, buts it's going to be at least a week until that happens. (It's a super customized cart, the updates take a while.)

Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?  Should I be looking somewhere for evidence of this?

Regarding the email, we'll scan his computer though he is the only person with a key to the office and it's in a different state than the brick and mortar store associated with the website.  All employees are in another state than him, including myself.  Any other thoughts there?
0
 
LVL 53

Assisted Solution

by:COBOLdinosaur
COBOLdinosaur earned 200 total points
ID: 39258097
If the machine is connected to the internet, then there is no need for physical access.  At some point a trojan could have been picked up and installed malicious software that is part of a botnet.  The machine needs to be scanned for malware and disconnected from both the internal network and the internet until you can be certain you have a clean machine.

As for the script kiddie attacks scan your access logs for the strange entries you found and see what IP address are being used. If you check the ip addresses you will generally find that they are listed on blacklists.  Then just block the c-level or even the b-level netblocks.  

OR... relax.  The idiots, spammers, and vandals are part of the experience of operating web sites.  Keep up to date and and follow good security practices.  Other than the single machine you have identified, I am not certain you have a real threat, and if you over-react, you will start doing thingsthat will limit access for your customers in an attempt to block jerks who are little more than an irritant.

Cd&
0
 
LVL 33

Accepted Solution

by:
paulmacd earned 300 total points
ID: 39259398
"Does the fact that the RAM maxed out yesterday imply that they WERE able to run a script on our site?"
Don't think of it as running a script ON your site, think of it as running a script AGAINST your site.  The increased RAM usage may have been a response to an increased number of requests against the web site, executed very quickly.

"...though he is the only person with a key to the office ..."
A hacker doesn't need physical access to a machine to compromise it.  Clicking the wrong link, visiting the wrong page, etc, are vectors.
0
 

Author Comment

by:christamcc
ID: 39260835
Relaxing is not an option (it's just not my personality lol), but not being reactionary is. ;) We might be more nervous than most because we WERE hacked a couple years ago and lost thousands of dollars of customer orders and hurt our reputation with our loyal customers.  We have since upgraded our server so we could whitelist IP Addresses for CPanel access.  In that case it started with "something doesn't seem right" also, so we like to make sure with these things.

Thanks for the information!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now