-1

I have noticed that a new folder was added to website and it was used as phishing from our site. I think, it was added few days before. The added code page is showing "Reported Web Forgery!". I have hardly removed that folder because of permissions.

Now, what should I do? How can I check how it was hacked?

Thanks

shawn swanson
  • 1

2 Answers2

3

You should not try to fix it and should start again from scratch as that is the only way to be sure there is nothing else hidden away which you are not aware of - there is an amazing post already here on SF at How do I deal with a compromised server? which gives some brilliant advice.

Community
  • 1
bhttoan
  • 620
  • 3
  • 15
  • 26
  • 1
    This is a fantastic link (and I upvoted), but starting from scratch as a first resort sacrifices learning how they got in. Worst case, exactly the same problem happens again. – Samizdis Mar 27 '13 at 14:59
  • @Gyppo, _if_ you have the resources, by all means store the disks away for later analysis. But consider that in a [Honeynet challenge](http://old.honeynet.org/challenge/index.html) it took groups of experts an average of 34 hours to analyze the traces left by an intruder in a half hour, and of the 14 teams turning in their analysis each discovered things the others didn't. – vonbrand Mar 27 '13 at 16:20
  • OK, my take on the Nuke from Orbit issue: The only alternative is what you could probably aptly call Orbit from Nuke. Get an exact (rsync -vac or dd) copy of the compromised servers filesystem made *while a trusted rescue system is booted*. Diff with a known good similar system or backup, maybe installing known good same versions of software into comparison system to compare, and analyse differences until every difference is accounted for. Do not take anything online again until reasons for compromise are found and eliminated. – rackandboneman Mar 27 '13 at 16:23
  • In case a system that had been compromised really needs to go on again as it is after cleanup: Do not "cleanly" uninstall the exploit/rootkit, but sabotage it as good as you can (eg make sure things it relies on no longer work as expected, set immutable attributes on files you know it will have to change and lcap away the key, firewall/blackhole the SMTP traffic in any underhanded way you can think of ...) ... – rackandboneman Mar 27 '13 at 16:29
0

The first thing you should do is to change passwords, and check for newly created accounts. Technically you should treat the whole system as compromised until you do a full wipe and re-install. Even backing up is risky after a break-in, as you could backup tainted files, but that's a trade-off, as always.

Are you hosting the site yourself? If not, your best approach would be to notify your hosting provider. Hopefully they have logs of activity, or can access yours. They're also in the best place to surmount your permissions issues.

If you are, your logs are usually somewhere like /var/log/, depending on what you were running on the server, different services were likely compromised. /var/log/auth.log is a good place to start.

You mention deleting folders. Deleting information isn't the best way to find out what happened, as there could be clues in the files left behind. You should certainly move them, as your server could be being used for nefarious purposes at the moment.

Samizdis
  • 103
  • 2
  • Yes, you are right, server was used for phishing purposes thats why I removed files which were uploaded by hacker. My server is a VPS and there are many websites. Should I remove cpanel of hacked website and recreate everything again? Ot changing FTP and Cpanel password can work? – shawn swanson Mar 27 '13 at 15:03
  • Changing your passwords is good, but not enough. You should really start again, from a backup made before the hack. The best approach would be to let whoever you pay for your VPS know about this, it's possible that other of their clients are affected, and they are probably best able to deal with this. – Samizdis Mar 27 '13 at 15:17
  • @Gyppo, and how do you know when the miscreant got on board? – vonbrand Mar 27 '13 at 16:21
  • We are informed by hosting that your site is phishing activities. This way, we came to know that site is hacked – shawn swanson Mar 27 '13 at 21:23