[ubuntu-uk] Website Hacked.....
tony.arnold at manchester.ac.uk
Sat Jun 27 18:25:35 BST 2009
> I run a website, and there's about 2.5 gigs of information on there. The
> whole lot got deleted and the hackers put a picture of advertising who
> they were. I have managed to get the host to restore as much as they can
> back, well, they way they are trying to.
> What is worrying me, is the password was a really strong password, 100
> strong according to the password generator, and I was wondering, how
> they managed to get in. I cant help worry that it might be through my
> netbook. How do I check to see that my computer hasnt been hacked. I
> know Ubuntu has a virus checker, but the lst time I tried to use it, it
> was finding programs that were viruses, and these were programs in the
> Synaptic. I was not able to use it in the end, as I didnt know what was
> what. Also is there anything I can do to stop my notebook from being
Matt and Lucy have given you some good advice and pointers to how your
site got hacked. To really find out, you need to do some forensics, but
I realise the information you need may no longer be around.
You need to determine the date & time of when the hack occurred.
Creation dates of new files put there by the hackers or modify dates of
anything they have changed will give you a clue.
You then need to trawl the log files for the web server and look for any
unusual looking URLs that have been requested at about the time of the
hack. The path in the URL will give a clue as to where the weakness lies.
I would also avoid using FTP and use SFTP (via ssh) instead. Strong
passwords help, but authentication via ssh keys would be even better.
The concern here is that you restore everything and it just gets hacked
again because you haven't fixed the vulnerability.
Tony Arnold, Tel: +44 (0) 161 275 6093
Head of IT Security, Fax: +44 (0) 870 136 1004
University of Manchester, Mob: +44 (0) 773 330 0039
Manchester M13 9PL. Email: tony.arnold at manchester.ac.uk
More information about the ubuntu-uk