server was just hacked, need help

Portal Home > Knowledgebase > Articles Database > server was just hacked, need help

Posted by chamelion, 10-05-2007, 11:26 AM
ok so my server was just hacked. basically every index.htm/html/php in all my accounts (/home/*) have been replaced by some hack page. i have backups, so not too concerned. problems though are: 1) opening any subfolder in an account causes an endless loop 2) putting any other page and trying to load it from the home directory yields a 500 error message most likely going ot have to rebuild the entire server... but any ideas what i could look for first? for e.g. the loop thing is nearly like there's some "global .htaccess file" that's controling every single domain to keep reloading a subfolder called index, which does not exist...
Posted by Patrick, 10-05-2007, 11:32 AM
Save yourself some time, and do as you suspect... rebuild the server and restore from backups. It's safe to assume that root access has been obtained if every single index file has been modified. There's no telling what the attacker could have done, backdoors, rootkits, etc. When you get the server online, hire a server management company that specializes in proactive security, patch management and what not... then restore the backups. You can spend the next few days trying to figure out what happened, while the attacker (probably) still has access... or you could start fresh and do it right this time.
Posted by debug26, 10-05-2007, 11:47 AM
Hello, Was your kernel updated ? It might be the problem. Make sure that you have disabled the unwanted php function so someone could not use the php function easily for hacking scripts. Also check the /tmp directory for any malicious scripts..
Posted by talkntickets, 10-05-2007, 10:09 PM
Cert.org have some excellent documents which may help you including an Intruder Detection Checklist which includes advice on how to recover from a root compromise. There is a Windows version too on the cert.org site. To find the documents, search for: "checklist compromise" (without the quotes) on the cert.org site. It is possible to recover from a root compromise without reinstalling the OS but it is extremely difficult and requires immense attention to detail and a lot of system administration knowledge. The above document should help you determine the extent of damage and the likelihood of being able to recover without an OS reinstall. Best of luck with it.
Posted by anilj, 10-05-2007, 10:49 PM
How do you know your backups aren't compromised either? Sometimes the hackers might leave something sitting around for a while before going for the attack. Once you restore, you better make sure there isn't a single missing security patch out there.

Add to Favourites Print this Article