Possible Duplicate:
My server's been hacked EMERGENCY
After some sort of hacking, the main URL of my website now redirects to a fake antivirus page. How can I remove this thing?
Asked
Active
Viewed 188 times
1 Answers
0
Your server has been compromised/defaced so I give you the same advice I gave on a similar question:
Normally, it's very difficult to re-create all the attackers steps and the best solution is to reinstall the compromised servers and restore everything from the backups. On the other hand, you need to perform some forensics in order to figure out what has possibly happened and preventing it from happening again.
Here's a list of things worth checking:
- see if there are known vulnerabilities in your webserver and your ftp server versions
- take a look at every logfiles you can, especially the webserver, the ftp server and the system ones. In the webserver logfiles, check for posts
- are there any services running that you don't need? Are they accessible from the Internet? Shut them now, check their logs and check for possible known vulnerabilities.
- run rootkit checkers. They're not infalible but can lead you in the right direction. chkrootkit and especially rkhunter are the tools for the job
- run nmap from outside of your server and check if there is something listening on any port that shouldn't be.
- if you've a rrdtool trending application (like Cacti, Munin or Ganglia) take a look the graphs and search for a possible time frame of the attack.
Also, always keep this is mind:
- shut down all the services you don't need
- backup everything you need to rebuild your server and test backups on a regular basis
- follow the least privilege principle
- have your services updated, especially regarding security updates
- don't use default credentials
Hope this helps!
Marco Ramos
- 3,100
- 22
- 25
-
And by the way, they probably made the redirect on the contents of your index page. Hope this helps. – Marco Ramos Apr 22 '11 at 18:23
-