Server hacked and mass defaced

Portal Home > Knowledgebase > Articles Database > Server hacked and mass defaced

Posted by JohnSmith1, 04-09-2010, 10:20 PM
My Server was compromised by a hacker with the handle "trick aka saywhat?" my customers index/home pages were replaced with: TeaMp0isoN Have arrived, sit back, get some popcorn and enjoy the show . . . . . HaCkED By TriCk aka Saywhat? - TeaMp0isoN - p0ison.org Live in yor World, Get Owned in Ours. . . . Chillax nothing was deleted, just your index was defaced. Message to Admin/web-master: To have a good site, you must have good security and you clearly dont. Learn to secure a site before you open one. TeaMp0isoN Was in your box, deal with it br0 . . . . We Are (TeaMp0isoN): TriCk aka Saywhat? - Luit - eXhAiL - Hex00010 - p0ison.org gr33tz t0: d0ped - r00t34d - 0x90 - BxR - [RoCkBomB] - all the members of p0ison.org. "s0rry AdMiN y0ur SeCuRiTy = Null (0)" - Visit us at p0ison.org! HaCkED By: TriCk aka Saywhat? // badnews_saywhat@hotmail.com My server is back online now and everything is restored, but i don't know how the hacker managed to hack the server and mass deface all my clients. is there a way to find out how he got in? and should i report this, if so who should i report this too?
Posted by UNIXy, 04-09-2010, 10:27 PM
There are several ways an attacker can get into a server. The attack vector is unclear based on the information you provided. But generally, it's good to check the web server's error log and mainly ALL services logs. You Check out how many other domains got compromised by these kiddies today. I'm sure more are to be published on that page shortly. http://www.zone-h.org/archive/notifier=TeaMp0isoN I guess the good news is that this is not a targeted attack but an automated one. Generally, this means you can easily plug the holes. Be sure to secure your server well or hire someone that will do it well. Regards Joe / UNIXY
Posted by JohnSmith1, 04-09-2010, 10:30 PM
There is no logs i think they deleted them.
Posted by UNIXy, 04-10-2010, 12:36 AM
It wouldn't be surprising. They usually upload a script that cleans up and deletes the logs. There are usually remnants of the attack somewhere in the server. You just have to look. But don't waste your time too much. Here's what should be your priority to avoid this going forward: 1) Reload the OS 2) Secure the box like it's world war III (firewall, service security, etc) 3) Update all 3rd party software hosted on the server (joomla, php-nuke, forums, etc) Regards Joe / UNIXY
Posted by ZenMonk, 04-10-2010, 01:47 AM
Whichs os are you running and kernel version? Also run chkrootkit on your server. Did you find any suspicious file in your /tmp dir?
Posted by Matt R, 04-10-2010, 02:24 AM
In addition, did you have the basics going such as openbase_dir, SSH on a different port, a Firewall such as CSF/LFD or APF/BFD installed? There are a lot of ways to get into a server, but the most common that I've seen are weak root passwords, SSH port being set to 22, and no method of keeping users within their home directories.
Posted by prashant1979, 04-10-2010, 05:19 AM
Use some WAF like dotDefender which can prevent website defacements.