Discovered that my site creeso.com got "hacked".
How do I root cause it? What's the right course of action to prevent such attacks in the future? Does anybody know of their MO?
I'm currently scanning for keyloggers on my mac.
Most of the time these attacks are automated, so there is no specific MO. Common points of entry are:
* Unpatched or out of date software services running on your server
* Unpatched or insecure web applications
* Weak ssh passwords
Finding the point of entry can be difficult. It's basically an exercise in log-diving. The location of these logs may vary based on your distribution, but look for information on:
* SSH auth and security logs
* General syslog
* Web server access and error logs
* Application logs
Depending upon the level of access gained and the sophistication of the attacker's script, it may clean up after itself, which means you may not find anything.
Security is layered, so there are no "5 easy steps to securing your servers" solutions. In general, you should:
* Keep your distribution's software packages up to date
* Keep any custom-built and off-the-shelf applications up to date with new releases
* Use passwordless SSH key authentication with passphrases
* If you must allow password authentication, use a service like fail2ban to block bruteforce attacks
* Use a firewall like ufw to "default deny" access to services except those you explicitly want to provide access to
As for the MO - the lulz, would be my guess. Googling it (http://www.google.com/search?gcx=w&ix=c2&sourceid=ch...) shows that who ever is doing it is widely indiscriminatory with who they are hacking. As for how they did it, it really depends on the infrastructure in place already. If you are using any cms (wordpress, drupal) it was likely through that, as there are a number of weaknesses published regularly that are used against it. The first thing to do is check current index to see who wrote to it last, and at what time. If it is the webuser (ie apache, nginx, etc) then it was almost certainly a hack from a browser, if it was root, the server has been compromised. Once you have the file's update time, you should look over your access logs to see if there is anything suspicious lines up that time. As for the cleanup, assuming you are using a linux based server and it was compromised, install rkhunter, run it right away. This should catch anything that they would have used (it seems like a scriptkiddy), change any access port, update your ssh password and change the port, and preferably change over to a key based login system (http://pkeck.myweb.uga.edu/ssh/). I would also look into fail2ban (fail2ban.org) if they did bruteforce, as it would have stopped them. As a cherry ontop, you can setup a basic mail script to send yourself a text/email whenver anyone logs into root/any important account.
If you want any help, I used to do this sort of cleanup as a job, and I have a free afternoon. DM me.
@cleverjake, M.O. = modus operandi = 'way of working', i.e. how they did it. You answered why, I think. Then I read on to 'indiscriminatory' and gave up on the whole thing. ;)
Thanks a lot cleverjake. I'm still running the anti-malware on my mac, so I'm not ssh'ing into the server. Am I being paranoid?
FYI - It is on shared hosting.
Also, this might sound stupid - how do I DM you?
It appears it's the usual mass defacement, so they are probably exploiting a well-known vulnerability.
You are not the only one, I checked for other domains hosted with webfaction.com (Which seems to be a re-seller hosting service using linode, I could be wrong):
eyetraveldoc.com*
themediashow.net*
These were also defaced (these are using the same IP as yours), so there is a high chance that your hosting service is running a vulnerable kernel, service or the node you're on is. So notifying them and continuing from there would be a good start.
*They have been restored, but a mirror is on zone-h
They have a list showing 26 hosts on that IP that were defaced. Randomly checked four of them (which are fixed now), all WordPress. But then #5 looked like a static HTML site (http://outrightoriginal.com/), so I'm going to go with server compromise, not CMS compromise.
* Unpatched or out of date software services running on your server
* Unpatched or insecure web applications
* Weak ssh passwords
Finding the point of entry can be difficult. It's basically an exercise in log-diving. The location of these logs may vary based on your distribution, but look for information on:
* SSH auth and security logs
* General syslog
* Web server access and error logs
* Application logs
Depending upon the level of access gained and the sophistication of the attacker's script, it may clean up after itself, which means you may not find anything.
Security is layered, so there are no "5 easy steps to securing your servers" solutions. In general, you should:
* Keep your distribution's software packages up to date
* Keep any custom-built and off-the-shelf applications up to date with new releases
* Use passwordless SSH key authentication with passphrases
* If you must allow password authentication, use a service like fail2ban to block bruteforce attacks
* Use a firewall like ufw to "default deny" access to services except those you explicitly want to provide access to
Good luck.