Tracking hackers

[SanDiegoPC]

Wow do I wish I could figure this out! I'm a PC Repair geek by trade and about 3 months ago my customers started telling me my company website was 'reported as an attack site' by Firefox/Google.

I logged in, and sure enough the code on my corporate home page was different than what I have in this computer. So I called the web hosting company and complained. They claim it's not a virus in their server, it was just a hacking job on my website. So I fixed it. That was at least three mos ago.

This morning I installed Windows on a client's computer and as a final touch, I set the Internet Exploder up to use my company's site as the opening home page. When I started MSIE up, it went to my company site for a second, then the machine restarted

It now has Antivirus Pro 20010 on it and won't access the internet without me paying money for their virus.

So how can I get this virus off my website (how is it getting from my company website to PC's that go to it?????) And most importantly, how can I find out who is hacking my company's site?

 

[mechBgon]

My employer's website got compromised once. Turns out the bad guys had hacked into their datacenter and compromised a lot of their customers' sites. Like you, I'd set our own site as the default homepage. I had the users on (*ahem*) non-Admin user accounts, so that particular one would've failed regardless, but we also had antivirus detection for it.

Anyway, restore your site and set a super-strong password on it. Mine is >16 characters with the usual strengthening characteristics (uppercase, lowercase, symbols and numerals). Finding the hackers probably won't help unless you intend to go to Russia or China and do something about it in person.

 

[RebateMonger]

I'd also talk to your clients about backups. Some recent malware includes code that encrypts the victim's data and demands payment to un-encrypt it.

 

[VinDSL]

Whoa, baby!

If it was me, I'd block ALL of China...

http://www.google.com/safebrow....sandiegopcexperts.com (Google Safe Browsing - Results of your site)

 

[n0cmonkey]

I lost a reply to this threat earlier apparently.

Are you running a static site (plain ol'HTML)? Or is it dynamic? If it's dynamic make sure everything is up to date. If it's custom dynamic code, make some coffee and start auditting now. There's a hole somewhere if they keep getting in.

Also, double check all logs you have access to. Web applications have pretty bad logging capabilities (there's a wordpress plugin for ossec compatible logging, but I'd rather avoid wordpress), so they may not be very helpful. Definitely worth a look though. Don't put anything sensitive on the site until you figure out how they got in.

 

[cessation]

You could probably find a lot more help here OP. http://www.webhostingtalk.com/

I wouldn't worry about who's doing it, I would worry about stopping it so it doesn't happen again.

There's a lot of different reasons it could be getting hacked.

Just to name a few...
1. The web host doesn't know how to secure a server or doesn't care.
2. You have scripts installed that are insecure or need to be patched often but aren't patched.
3. The PC you use to upload files to the web server has a virus sending the login info out.
4. If it's shared hosting then someone elses account could've got hacked that compromised the whole server.


The first time I setup logwatch on a server years ago I was shocked at all the bots attempting to login my server. After all the trouble it took to secure the server I decided to move to a host that took care of all that for me. That way I could work on my sites instead of worrying about keeping things up to date etc.

If you're serious about your biz(or your company is ) I would get a host (fully managed hosting) that can take care of you're site and answer all of your questions. That way you don't have to ask on message boards for help and hope someone will help you. Here's some good host, nationalnet.com(I use them), softlayer.com, wiredtree.com, liquidweb.com.

Long ago I use to keep my sites hosted at dreamhost (cheap webhost). Dreamhost would go down often and ppl always whined how it was destroying their biz. I never could figure out why they would let their biz get destroyed because they didn't want to spend more than 10 bucks a month on hosting.

 

[RebateMonger]

The possibilities mentioned so far are very appropriate. The most common causes of hacked servers include:

1) Weak password.
2) Vulnerable web site with unchecked data entry forms.
3) Unpatched application vulnerabilty.
4) Unpatched OS vulnerability.

Your host is claiming their server isn't hacked. If it was, you'd expect many of their clients' sites to be infected. I'd worry more about fixing the vulnerability than exactly who is doing the hacking. Even if you SOMEHOW got a hacker shut down, there's a zillion others who will find the same vulnerability.

 

[SanDiegoPC]

Originally posted by: RebateMonger
The possibilities mentioned so far are very appropriate. The most common causes of hacked servers include:

1) Weak password.
2) Vulnerable web site with unchecked data entry forms.
3) Unpatched application vulnerabilty.
4) Unpatched OS vulnerability.

Your host is claiming their server isn't hacked. If it was, you'd expect many of their clients' sites to be infected. I'd worry more about fixing the vulnerability than exactly who is doing the hacking. Even if you SOMEHOW got a hacker shut down, there's a zillion others who will find the same vulnerability.

Thanks all. I did change my FTP username & password. There are no unchecked forms or applications on this site. It's on an Apache server... but it is shared.

I am certainly willing to go onto another service/server. Aplus.net support is weak at best and I don't like that my site got hacked again, after me re-uploading it all a couple months ago.

Now the big prob too, is to get Google to take me off the banned website list. That will take months.

 

[SanDiegoPC]

What would it take for me to host this myself? I am ready to find another use for this quad-core computer I'm working with now, in favor of one of Intel's newer offerings. I am on ATT U-Verse and have the highest bandwidth package available - much faster than a T-1 (1500 MB/s upstream and 10,000MB/s down). I'm in a neighborhood where power failures are very rare (one in six years so far)

Any suggestions?

 

[n0cmonkey]

Stop using ftp also. This is why sftp is out there.

If you need it to be up all the time, you don't host it yourself.

You get 1.5GB/s upload? Wow.

Look for a good colo. It'll be easier and better in the long run. Do you handle mail?

 

[SanDiegoPC]

Colo is a great suggestion. Thanks. Yea the ATT U-Verse speeds here in San Diego are tremendous. And so far, reliable - we got it right away. It's several times faster than cable, and it has not gone down on us since it was put in - about 15 months ago.

 

[cessation]

Originally posted by: SanDiegoPC
What would it take for me to host this myself? I am ready to find another use for this quad-core computer I'm working with now, in favor of one of Intel's newer offerings. I am on ATT U-Verse and have the highest bandwidth package available - much faster than a T-1 (1500 MB/s upstream and 10,000MB/s down). I'm in a neighborhood where power failures are very rare (one in six years so far)

Any suggestions?

You could install linux such as CentOS, then install a control panel that's not hard to use such as cPanel. But you'd still need to worry about keeping the server secure. So it would probably take a long time to get the hang of it. Although there's managed services out there, they'll managed your server and help you keep the server secure no matter where it is. Just make sure you get someone decent to do it so your server is secure.