D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Website hacked

 

Sucks.

Cannot help with the information supplied, but...

It worries me that you say "they are getting in" implying the server is still available?

That's bad.

First response is generally to take it offline and then attempt to triage (otherwise you're fighting something that could be changing) ÂIf the services are critical, restore from a backup. However - be suspicious of all backups as the box could have been owned weeks ago. (Ideally you'd not even use those, but in real life they're all you've got)

Triage would be going through all the logs, checking your package versions to see if there's anything there that's known to be exploitable (including some very high profile recent ones), checking other logs/monitors on the network (including firewall/gateway if possible), checking bandwidth activity.Â

Second response is generally to reinstall from scratch if the box has been compromised as there's no telling what else is lying dormant. If it's a professional or Âeven a good script, you almost certainly will get hosed again even if you found the original one unless you scrub and start over. Change passwords to everything and don't trust any of the files they had access too. As soon as your box is online it will get hammered by attempts immediately - once-hacked servers get a lot more activity as they're a known vector.

On 2 October 2014 15:45, Jay Bennie <jay@xxxxxxxxxxx> wrote:
Has anyone come back to you yet?


On 2 Oct 2014, at 15:28, Martin Gautier <martin.gautier@xxxxxxxxxxxxx> wrote:

> All
>
> Is there anyone on the list that can help with a website I run that being hacked currently?
>
> I need to try and find out how they're getting in and what I can about it.
>
> We have a shared folder used by the CMS for file & image management and they seem to be accessing that and copying the contents onto itself to fill up the server diskspace...
>
> Cheers
>
> Martin
>
> --
> The Mailing List for the Devon & Cornwall LUG
> http://mailman.dclug.org.uk/listinfo/list
> FAQ: http://www.dcglug.org.uk/listfaq


--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq