1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

question about hacking

Discussion in 'Security' started by toby, Jul 27, 2007.

  1. #1
    If a site got hacked or defaced, what should I do?

    Should I go to delete that accoutn from whm and recreate it or should I just change the password?

    Will the hacker get into the root or other sites hosted in that server?

    Appreciate your urgent response.
    toby
     
    toby, Jul 27, 2007 IP
  2. scoopy82

    scoopy82 Active Member

    Messages:
    838
    Likes Received:
    45
    Best Answers:
    0
    Trophy Points:
    70
    #2
    If you recreate the account... most likely, you will also be recreating the hole the hacker used to gain access.

    Having to deal with several defacements myself... I like to search google to find the vulnerability the hacker used and then find what needs to be done from there.

    Most times it is an outdated script and / or a fix is posted on their support forum.

    PS: If by chance this is about the latest vulnerability with an arcade script... I don't think there is a fix ;(
     
    scoopy82, Jul 27, 2007 IP
    toby likes this.
  3. toby

    toby Notable Member

    Messages:
    6,923
    Likes Received:
    269
    Best Answers:
    0
    Trophy Points:
    285
    #3
    the problem i wanna know is: if they get to the site, can they gain access to other sites of mine inside my server?
     
    toby, Jul 27, 2007 IP
  4. scoopy82

    scoopy82 Active Member

    Messages:
    838
    Likes Received:
    45
    Best Answers:
    0
    Trophy Points:
    70
    #4
    /me thinks it all depends on the vulnerability they used. It is more common (from my experience) that they only gain admin access to the script they hacked.
     
    scoopy82, Jul 27, 2007 IP
  5. yamakazy89

    yamakazy89 Peon

    Messages:
    41
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Defaced or Hacked, Do you by any chance mean a DDoS Attack?
     
    yamakazy89, Jul 27, 2007 IP
    toby likes this.
  6. toby

    toby Notable Member

    Messages:
    6,923
    Likes Received:
    269
    Best Answers:
    0
    Trophy Points:
    285
    #6
    not a ddos attack, just deface.

    how can i know if it's ddos? how can i review my log to see those hacking activity?
     
    toby, Jul 27, 2007 IP
  7. ds316

    ds316 Peon

    Messages:
    154
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #7
    A DDoS attack, which just simply stands for Distributed Denial of Service, just means someone just sent more requests to your sites server than it could handle. This appears in logs as many, many requests per second.

    From personal experiences, most times it is just a script that is exploited, and as scoopy82 said, it's usually a case of upgrading the script.

    Other times it can be the server that is exploited, this is visible when multiple domains on the one site have been defaced. In this case, sent a letter to your host notifying them of the problem, and demand that they fix it asap. If your host ignores your requests and the problem occurs repeatedly, take your business elsewhere.
     
    ds316, Jul 27, 2007 IP
    toby likes this.
  8. syedwasi87

    syedwasi87 Active Member

    Messages:
    2,147
    Likes Received:
    59
    Best Answers:
    0
    Trophy Points:
    90
    #8
    i am not sure if you can see IP logs from WHM, but it should be possible..

    also i recommend that you delete the account first, it can ofcourse be recreated later..
     
    syedwasi87, Jul 27, 2007 IP
    toby likes this.
  9. toby

    toby Notable Member

    Messages:
    6,923
    Likes Received:
    269
    Best Answers:
    0
    Trophy Points:
    285
    #9
    thanks everyone for the input, greatly appreciate;, regarding the log, which log can i look at?

    Usually i only see awstat. :s
     
    toby, Jul 28, 2007 IP
  10. l0gic

    l0gic Peon

    Messages:
    22
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Ideally, you want to review Apache's access_log and error_log files spanning the time during which the defacement took place. Check with your hosting provided if you're not sure how to access these files. Often they will be available over FTP.

    While the logs only provide a summary of the requests made to the server, information gleaned can generally identify the script or application responsible for the compromise. Look for strange traffic; something that wouldn't have been generated from the site itself.
     
    l0gic, Aug 12, 2007 IP
  11. Roido

    Roido Active Member

    Messages:
    273
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    60
    #11
    If a script on your hacked site was exploited and they gained access to the admin panel then as long as the admin panel pass is not the same an actual unix user then its unlikely that they can gain access to other sites. What was the defacement? Was it done through a dynamic site admin or was a html file manually changed through ftp for example. If it was done through a dynamic site admin panel, i.e. changing a page on joomla then you should be safe to update the script change pass etc.

    If the unix user has been comprimised and these users are not jailed to their own dirs then its possible that the hacked user can read others users/sites directories and download any php source, including config.phps etc. Which will reveal other sites db passes etc.

    Also if your unix user accounts have shell login enabled then its possible they can now user local root exploits now that they 'have their foot in the door'. Which can lead to them completely owning your server.

    My advice only allow shell access when completely neccessary and jail each user their own directory. This will minimise the risk of a server wide comprimise.

    Also run a root kit checker.

    This all assumes you have root shell access to your server.
     
    Roido, Aug 12, 2007 IP