Hacked website, need a security expert...

Portal Home > Knowledgebase > Articles Database > Hacked website, need a security expert...

Posted by idevspot, 09-06-2011, 03:56 AM
My website was recently hacked, I don't know how.. I need to find someone who can determine how it was hacked, any suggestions?
Posted by madaboutlinux, 09-06-2011, 06:29 AM
It could be your account password or security hole in your application that resulted in hacking OR it can be a server side security issue and you may not be the one whose website is hacked? Do you have a dedicated server Or a shared hosting account? If it's a shared hosting account, contact your hosting provider as they are the one with all the access to the server logs.
Posted by HostXNow_Chris, 09-06-2011, 07:19 AM
I just visited your site and Microsoft Security Essentials detected TrojanDownloader:JS/Oakbot.H TrojanDownloader:JS/Oakbot.H I suggest you run ClamAV and Linux Malware Detect, make sure file permissions are correct, update passwords. That would be a good start.
Posted by tobaria, 09-06-2011, 11:44 AM
Steven at rack911 is the man.
Posted by johnsonpatel18, 09-07-2011, 12:57 AM
Need that you have a look at your .htaccess there may be you'll find more informations.
Posted by ssfred, 09-07-2011, 08:50 AM
Hello If you are on a linux server, make a search for your user name in /var/log/messages. It will reveal if the file was uploaded through FTP with the details. Some times the machine which is used to upload the website might be infected with viruses like Gumblar virus. Also check the file permissions as well. It is always better to enable a stronger mod_Sec rule set to prevent attack through web applications.
Posted by ModelWebHost, 09-07-2011, 09:40 AM
I had a bad experience like this because my computer was infected with a worm virus and then the files that I uploaded to server got infected. Right after 1 hour my website was hacked. So, try to clean your PC also.
Posted by mellow-h, 09-07-2011, 11:10 AM
The best is to check your access-logs before rotation. These hacks are done using injection. If you can analyze your logs properly, you should be able to find out the reason of these sort of injections.
Posted by LinuxSecurityExpert, 09-17-2011, 01:07 AM
Scan for a rootkits with chrootkit and rkhunter, too. If someone managed to get in as root, they may be hiding themselves. Also, check /root/.ssh/authorized_keys*, and examine /etc/ssh/sshd_config for modifications. There are many easy ways to install a backdoor into a system once it has been rooted. <> Last edited by anon-e-mouse; 09-17-2011 at 03:09 AM.
Posted by The3bl, 09-17-2011, 03:00 AM
Unless chrootkit and rkhunter are already installed and running it would do no good to install and run them after the hack. Last edited by anon-e-mouse; 09-17-2011 at 03:09 AM.
Posted by Steven, 09-17-2011, 08:50 PM
Not to mention the actual sshd binary has been getting backdoored lately and chkrootkit and rkhunter does not detect it.

Add to Favourites Print this Article