My site got "cracked"/defaced. how do I find the root cause/method?
Discovered that my site creeso.com got "hacked".
How do I root cause it? What's the right course of action to prevent such attacks in the future? Does anybody know of their MO?
I'm currently scanning for keyloggers on my mac.
14 comments
[ 5.1 ms ] story [ 48.5 ms ] threadIf you want any help, I used to do this sort of cleanup as a job, and I have a free afternoon. DM me.
* Unpatched or out of date software services running on your server
* Unpatched or insecure web applications
* Weak ssh passwords
Finding the point of entry can be difficult. It's basically an exercise in log-diving. The location of these logs may vary based on your distribution, but look for information on:
* SSH auth and security logs
* General syslog
* Web server access and error logs
* Application logs
Depending upon the level of access gained and the sophistication of the attacker's script, it may clean up after itself, which means you may not find anything.
Security is layered, so there are no "5 easy steps to securing your servers" solutions. In general, you should:
* Keep your distribution's software packages up to date
* Keep any custom-built and off-the-shelf applications up to date with new releases
* Use passwordless SSH key authentication with passphrases
* If you must allow password authentication, use a service like fail2ban to block bruteforce attacks
* Use a firewall like ufw to "default deny" access to services except those you explicitly want to provide access to
Good luck.
http://www.zone-h.org/archive/notifier=T0xic
It appears it's the usual mass defacement, so they are probably exploiting a well-known vulnerability.
You are not the only one, I checked for other domains hosted with webfaction.com (Which seems to be a re-seller hosting service using linode, I could be wrong):
eyetraveldoc.com*
themediashow.net*
These were also defaced (these are using the same IP as yours), so there is a high chance that your hosting service is running a vulnerable kernel, service or the node you're on is. So notifying them and continuing from there would be a good start.
http://www.zone-h.org/archive/ip=174.121.79.144
They have a list showing 26 hosts on that IP that were defaced. Randomly checked four of them (which are fixed now), all WordPress. But then #5 looked like a static HTML site (http://outrightoriginal.com/), so I'm going to go with server compromise, not CMS compromise.