Security Basics mailing list archives
Re: hi, need help
From: mojorising <moj0rising () aim com>
Date: Fri, 14 Nov 2008 17:06:54 -0800
Hi, Dhiraj, I've seen a few similar attacks on Joomla driven sites. Is that what you're running? If you are running Joomla (I'm betting so since I've seen this quite a bit) and you don't have backups, it's quite often the case with the attacks I'm thinking of that they simply replaced your index.php file. So what you should do next is get on your server (whichever method you normally use is fine -- FTP, ssh, host's file manager, etc), navigate to the directory that belongs to the site that's been defaced, and see what files are there. If it looks like all your files are present, you're in luck -- just move (of you want to preserve that particular evidence of the attack) or delete (probably safest) the index.php file that has all this "Turkish hacker" business on it (**be very sure you are moving/ deleting the right things -- check twice**). With that file gone, just unpack another copy of Joomla and copy the index.php file from that package to your web server. Your site might actually be back to normal after that. If so, awesome -- you are very lucky and your site is back online -- don't waste any time and upgrade your copy of Joomla to the latest stable version (they have lots of excellent documentation for this). Also, come up with a reliable backup plan for your site (if you don't have one already) and put it into action. Hopefully this helps you, Dhiraj. Please let us know how it goes and if I'm guessing wrong on what your site is running, maybe you could provide some more information to the list so we could take a crack (heh, get it?) at helping you. Mike 2008/11/14 Tim Clewlow <tim () clewlow org>:
We still don't know what kind of website this is. Is it a CMS, ie joomla or plone or something else, are their any known vulnerabilities for this, if there are then it should be patched (upgraded to fixed version) immediately and then restore from backups. Also, do you have a forum on your site? There have been vulnerabilities found in many of those. What other add-ons are there in your website? Do any of those have known vulnerabilities? Have you made any custom additions involving CGI to your site? Are you certain this is secure? Next you need to find out what, if any, other damage was done. Did the attacker compromise the web server (probably apache), or, look further down to see if the operating system has been compromised. This will involve running your file integrity checking system to make sure nothing has been altered in the system. If you don't have a file integrity checking system, then make sure your backups are good, nuke the affected system and reinstall everything, including a file integrity checking system, eg tripwire. Set the integrity checker up to a known good state, then plug in the network cable and resurrect the site. And make sure you do regular backups. Congratulations, you are now in a much better position to work out what to do if anything like this ever happens again. Cheers, Tim. PS - it never hurts to read lots and lots about system security, you will learn a ton of stuff about the system in general as well.Guys, Hold on ... Seems like from Dhiraj's chat he don't know much about security. Everyone is suggesting vuln. assessment, log file analysis and other techniques which might be new for this guy. Since this guy don't know much about these things so shouldn't he be simply upgrade all the software web server etc .. and carry forward to restore from the backup? I do encourage him to read about security related stuff but that's another go. IMHO provider might not be able to do anything as this sounds like script kiddie attack where they simply change the index page and get a screen shot for their *achievement*. Dhiraj, since you have asked for method to get your original website back, the best way would be to restore from the backups or take a look into your directory structure of website. Most of the times, if you are lucky enough, the hacker simply renames the index (.html, php, jsp, asp) file to something else and upload some relative images. Puts on the new index file and moves on. I don't know what platform your web server was or which OS you were using, but I would go for a full OS reload after such incident because you never know what the hacker did, don't forget to update for software regularly. It may save you to some extent from these sort of things. Also, get a paid security professional if you want an analysis of this incident. Regards, Muhammad On Thu, Nov 13, 2008 at 6:44 PM, Adam Pal <pal_adam () gmx net> wrote:Hi Mahajan 1) take all evidence you can access yourself 2) contact the provider 3) ask the provider for saving logfiles related to the incident 4) ask the provider for a backup (if you dont have a backup yourself) of your original page 5) ask the provider to escalate the issue to its security dept. 6) take legal steps having logs as piece of evidence additional you can inspect the logfiles to determine how the security breach occured and get way to fix it, otherwise you will face the same issue again and again. From this point of view, the information you give is pretty poor because: - you dont tell how it is hosted - you dont tell where it is hosted - you dont mention what type of service, version etc... - you dont mention the URL - you dont mention the timeline - ... good luck! Adam Pal -------- Original-Nachricht --------Datum: Thu, 13 Nov 2008 14:20:48 +0530 Von: "Dhiraj Mahajan" <dhirajsmahajan () gmail com> An: security-basics () securityfocus com Betreff: hi, need helpsome hacker has hacked my website. (displaying hacked by turkish hacker), now wht shld i do to retrieve my original website. so please guide me how to get rid of tht-- The code that never executes at all is the fastest.
Current thread:
- hi, need help Dhiraj Mahajan (Nov 13)
- Re: hi, need help Adam Pal (Nov 13)
- Re: hi, need help Muhammad Naseer (Nov 14)
- Re: hi, need help Tim Clewlow (Nov 14)
- Re: hi, need help mojorising (Nov 17)
- Re: hi, need help pinowudi (Nov 17)
- Re: hi, need help Muhammad Naseer (Nov 14)
- Re: hi, need help Adam Pal (Nov 13)
- Re: hi, need help Kyle Bouchard (Nov 13)
- RE: hi, need help David Crandell (Nov 13)
- Re: hi, need help Gmail-Linux.Gheek (Nov 13)
- Re: hi, need help Jeff Stebelton (Nov 13)
- Re: hi, need help Jon Herron (Nov 13)
- Re: hi, need help Jakub (Nov 13)
- Re: hi, need help Jorge L. Vazquez (Nov 13)
- Re: hi, need help Salvador III Manaois (Nov 13)
- RE: hi, need help Kevin A. Zibluk (Nov 13)