

My site got "cracked"/defaced. how do I find the root cause/method? - codyguy

Discovered that my site creeso.com got "hacked".
How do I root cause it? What's the right course of action to prevent such attacks in the future? Does anybody know of their MO?
I'm currently scanning for keyloggers on my mac.
======
bradleyland
Most of the time these attacks are automated, so there is no specific MO.
Common points of entry are:

* Unpatched or out of date software services running on your server

* Unpatched or insecure web applications

* Weak ssh passwords

Finding the point of entry can be difficult. It's basically an exercise in
log-diving. The location of these logs may vary based on your distribution,
but look for information on:

* SSH auth and security logs

* General syslog

* Web server access and error logs

* Application logs

Depending upon the level of access gained and the sophistication of the
attacker's script, it may clean up after itself, which means you may not find
anything.

Security is layered, so there are no "5 easy steps to securing your servers"
solutions. In general, you should:

* Keep your distribution's software packages up to date

* Keep any custom-built and off-the-shelf applications up to date with new releases

* Use passwordless SSH key authentication with passphrases

* If you must allow password authentication, use a service like fail2ban to block bruteforce attacks

* Use a firewall like ufw to "default deny" access to services except those you explicitly want to provide access to

Good luck.

~~~
codyguy
Thanks for the guidelines.

------
cleverjake
As for the MO - the lulz, would be my guess. Googling it
([http://www.google.com/search?gcx=w&ix=c2&sourceid=ch...](http://www.google.com/search?gcx=w&ix=c2&sourceid=chrome&ie=UTF-8&q=%22---%3D%3D%5B%7CHacked+By+Toxic+H4ck3R%7C%5D%3D%3D---%22))
shows that who ever is doing it is widely indiscriminatory with who they are
hacking. As for how they did it, it really depends on the infrastructure in
place already. If you are using any cms (wordpress, drupal) it was likely
through that, as there are a number of weaknesses published regularly that are
used against it. The first thing to do is check current index to see who wrote
to it last, and at what time. If it is the webuser (ie apache, nginx, etc)
then it was almost certainly a hack from a browser, if it was root, the server
has been compromised. Once you have the file's update time, you should look
over your access logs to see if there is anything suspicious lines up that
time. As for the cleanup, assuming you are using a linux based server and it
was compromised, install rkhunter, run it right away. This should catch
anything that they would have used (it seems like a scriptkiddy), change any
access port, update your ssh password and change the port, and preferably
change over to a key based login system (<http://pkeck.myweb.uga.edu/ssh/>). I
would also look into fail2ban (fail2ban.org) if they did bruteforce, as it
would have stopped them. As a cherry ontop, you can setup a basic mail script
to send yourself a text/email whenver anyone logs into root/any important
account.

If you want any help, I used to do this sort of cleanup as a job, and I have a
free afternoon. DM me.

~~~
Abaddon
@cleverjake, M.O. = modus operandi = 'way of working', i.e. _how_ they did it.
You answered _why_ , I think. Then I read on to 'indiscriminatory' and gave up
on the whole thing. ;)

~~~
cleverjake
haha, morning mind and fat fingers.

------
saintfiends
I checked the zone-h database.

<http://www.zone-h.org/archive/notifier=T0xic>

It appears it's the usual mass defacement, so they are probably exploiting a
well-known vulnerability.

You are not the only one, I checked for other domains hosted with
webfaction.com (Which seems to be a re-seller hosting service using linode, I
could be wrong):

eyetraveldoc.com*

themediashow.net*

These were also defaced (these are using the same IP as yours), so there is a
high chance that your hosting service is running a vulnerable kernel, service
or the node you're on is. So notifying them and continuing from there would be
a good start.

    
    
        *They have been restored, but a mirror is on zone-h

~~~
HNatWORK
Thanks, I didn't know about this website.

<http://www.zone-h.org/archive/ip=174.121.79.144>

They have a list showing 26 hosts on that IP that were defaced. Randomly
checked four of them (which are fixed now), all WordPress. But then #5 looked
like a static HTML site (<http://outrightoriginal.com/>), so I'm going to go
with server compromise, not CMS compromise.

~~~
codyguy
Thanks for looking this up, I'll let the hosting provider know.

------
iterationx
You could perform penetration testing with Metasploit going forward.

~~~
codyguy
Looks good. Downloading it now.

