Re: hi, need help

["Muhammad Naseer" <naseer () digitallinx com>]

Guys,
Hold on ... Seems like from Dhiraj's chat he don't know much about
security. Everyone is suggesting vuln. assessment, log file analysis
and other techniques which might be new for this guy. Since this guy
don't know much about these things so shouldn't he be simply upgrade
all the software web server etc .. and carry forward to restore from
the backup? I do encourage him to read about security related stuff
but that's another go. IMHO provider might not be able to do anything
as this sounds like script kiddie attack where they simply change the
index page and get a screen shot for their *achievement*.

Dhiraj, since you have asked for method to get your original website
back, the best way would be to restore from the backups or take a look
into your directory structure of website. Most of the times, if you
are lucky enough, the hacker simply renames the index (.html, php,
jsp, asp) file to something else and upload some relative images. Puts
on the new index file and moves on. I don't know what platform your
web server was or which OS you were using, but I would go for a full
OS reload after such incident because you never know what the hacker
did, don't forget to update for software regularly. It may save you to
some extent from these sort of things. Also, get a paid security
professional if you want an analysis of this incident.

Regards,
Muhammad


On Thu, Nov 13, 2008 at 6:44 PM, Adam Pal <pal_adam () gmx net> wrote:
> Hi Mahajan
>
> 1) take all evidence you can access yourself
> 2) contact the provider
> 3) ask the provider for saving logfiles related to the incident
> 4) ask the provider for a backup (if you dont have a backup yourself) of your original page
> 5) ask the provider to escalate the issue to its security dept.
> 6) take legal steps having logs as piece of evidence
>
>
> additional you can inspect the logfiles to determine how the security breach occured and get way to fix it, otherwise 
> you will face the same issue again and again.
> From this point of view, the information you give is pretty poor because:
> - you dont tell how it is hosted
> - you dont tell where it is hosted
> - you dont mention what type of service, version etc...
> - you dont mention the URL
> - you dont mention the timeline
> - ...
>
>
> good luck!
> Adam Pal
>
> -------- Original-Nachricht --------
> > Datum: Thu, 13 Nov 2008 14:20:48 +0530
> > Von: "Dhiraj Mahajan" <dhirajsmahajan () gmail com>
> > An: security-basics () securityfocus com
> > Betreff: hi, need help
>
> > some hacker has hacked my website. (displaying hacked by turkish
> > hacker), now wht shld i do to retrieve my
> > original website. so please guide me how to get rid of tht
> >
> > --
> >
> >
> > Thanks & Regards,
> >
> >
> > Dhiraj S Mahajan,
>
> --
> Sensationsangebot nur bis 30.11: GMX FreeDSL - Telefonanschluss + DSL
> für nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a