|
Hacked
Our website has been hacked twice both maliciously. We're not entirely sure but we think the IP addresses were from Germany though they posted the Brazilian flag the first time. Does anyone have any suggestions how to secure our website?
|
Re: Hacked
What kind of server? Who is hosting it? We'll need more info if you want us to help.
EDIT: I did a whois lookup on punahourobotics.org, and it appears that your site is hosted by BlueHost.com. Assuming you haven't been playing with DNS settings so you can self host your site, I doubt there is much you can do. Other than change hosting companies. EDIT: I took to long to edit my post. |
Re: Hacked
Are youtalking about punahourobotics.org (69.89.25.188)?
I see that you are using bluehost as your web hosting company. They kindly kept your personal info safe from the WHOIS database, but unfortunatley left a slew of information about themselves instead of paying to have it show up as anonymous. It looks like they have ports 23 and 53 buttoned up well, which is good for you. Ports 80 and 21 are open, which are expected (perhaps you can request secure FTP instead?). I also see 110 open, which is pop3 (do you have an email server?) I also ran a custom scan on 3389, which is closed (another big relief). You really need to talk to bluehost and find out exactly how the intruder got in (which port, service, and hacking method.) You are running off a server called box188 on their system. Ask them to send you a report on all secure traffic on this box. If the problem persists, change hosting companies. There is obviously a problem with the security of their hosting. Jacob |
Re: Hacked
Quote:
|
Re: Hacked
Has this been a consistent problem with blue host? If so, we might have to think about changing web hosts...
|
Re: Hacked
Quote:
In my early days of webhosting, I left my RDP open so I could access my webserver from anywhere (hey! give me a break... I was 8...) Now-a-days, I actually DO have RDP open on my domain (which is run out of my datacenter), but my gateway (that I built, its a P4 w/ 2.5 GB RAM fyi) forwards the RDP port to a specific Terminal Server, that is set up soley for that purpose. Once logged into the Terminal Server, you can access a secure area of my network (using encryption) which allows you to Remote Desktop any of the servers on my network (I run 7 servers 24/7 on my domain). So in short, I guess the answer is ME!!! :p But I think I have the security measures to compensate. My domain has been running over 2 years without a problem (not referring to uhsserobotics.com, I'm referring to my personal domain that I use for remote services... FYI uhsserobotics.com is run from a seperate couple of servers in my datacenter). Jacob |
Re: Hacked
Quote:
EDIT: Just curious, what the power consumption of a setup like that? And whats it take to keep them cool? EDIT: Your gateway is a P4 with 2.5gb of ram?!?! My server is only a p4 with 1gb! |
Re: Hacked
Quote:
I wish i had the resources to run such a system. |
Re: Hacked
Quote:
|
Re: Hacked
Quote:
But all in all, my entire setup hasn't actually cost me that much. Except for the additional $125 a month on the electric bill (oops). But I have a job, plus I rent out server space to my friends for backups and immediate access to their files and such, so it isn't a huge deal. I just find it superconvienent to open my laptop on the road, hit the BT-DUN connect button (Verizon EVDO with hacked BT-DUN on my Q... I LOVE IT), hit WinLogo-R, type mstsc, put in my domain, hit the enter button, and BAM.... I'm right at home. I can access my email, leave my instant messengers open 24/7, control music at home, check security (both physical in the house and web security), check on some of the hosting servers I have for friends (I actually host a couple of MUDs for a few MUD fanatic friends of mine). If I'm on a high speed connection somewhere, I can remote desktop into my terminal server and secure remote desktop to one of my main rigs and feel right at home. I can watch movies, play music, organize pictures, post on chief delphi, or whatever! I also have a VPN set up so that I can locally mount disk images on any computer and play video games on any computer (public kiosks, lab computers, etc). I have a love for servers. I'm always looking to expand my domain (no pun intended :p ) Jacob EDIT: BTW, this is completly off topic. |
Re: Hacked
Quote:
Waiting for payment on the domain name to clear..... For some reason I thought it would be good to send the bill to the team as opposed to me (it's only 10 bux a year... I should have just done it) Now I have to wait for the bill to go through the team's process for paying for it (which, I hope to god it doesn't require a purchase order or some other beurocratic thing like that.... :eek: ) I was told it should be cleared by friday *crosses fingers* But the servers are up and running exactly like they should be! Jacob |
Re: Hacked
I'm surprised that so far people have missed the obvious step of first looking at what you've got that you control before assuming that the problem is with the host (which it may well be, but, that shouldn't be the first thing to check for).
Questions you should ask yourself include: What software do you have installed in your webspace? (check and make sure there aren't little temporary things installed just for testing that were never removed and never properly secured, this happens often) Is it up to date? (this can especially be a problem if your team is using a CMS or old versions of phpBB2 or other forum software) If what you've got is custom written, has it been checked over by someone knowledgable other than just the person who wrote it? If not, maybe it's time to audit it. Assuming you have access to the web server access logs and error logs, read them carefully for the period of time before the last time you had problems. If the exploit is attacking something your team has control over, it's likely to appear strange and show up there. Be especially vigilant for things like phpShell and such which you don't recognize as being part of a normal type of request. |
Re: Hacked
I have been using bravehost.com for close to 5 years now, and I have NEVER ran into something like this. It may cost a little more (I pay $4.99/mo with 30gig of space and 600gig of bandwidth) but I have had absolutely no problems with there service. If you ask me, there setup is the cleanest easiest to work with, and most secure setup that is out there. Check it out, I would definitely say that they are my favorite, because I also have a godaddy.com and hostmonster.com hosting account, but I am definitely gona switch them over, because I really was not impressed with there service. But seriously, that is ridiculous.
|
Re: Hacked
another site that I admin was hacked in the same way fairly recently. They replaced my site with some stupid splash screen, with the fools handle, a Turkish flag and a scrolling banner stating how "uber" this guy/gal was.
After some digging, We found that this person was exploiting a weakness in phpbb we were using. After updating the software, we haven't had a problem. no matter what you do you will always have a problem with security if you use a popular piece of software. |
Re: Hacked
It appears that this site is very cleancut and is lacking 3rd party apps (less the Google Gadget app, but I doubt there is a security problem in that). I looked at the source code, and everything looks HTML and Javascript.
Then I found forum.punahourobotics.org It appears that they have the latest version of Simple Machines. But I got to thinking, doesn't Simple Machines use MySQL, and PHP? That must mean that there is a MySQL server running on box188.bluehost.com, and perhaps this is the security hole. Check your MySQL version and patches, make sure it's all up to date. What's odd is that a hacker would put this much effort into splashing a robotics team's website. Seems like it would be a fairly low-target kind of domain to hit. Jacob |
Re: Hacked
What they do is troll the internet looking for large hosting systems. Most of their accounts are small and use PhP Or MySQL. They don't care how big or small the site is. They do it for kicks.
Why do folks spray paint builds? Because they have brains no bigger than your average canine... |
Re: Hacked
Quote:
Remote Computer (RC) ==RC's RDP=> Gateway ==Forwarded RC's RDP=> Terminal Server (TS) ==TS's RDP inside forwarded RC's RDP=> Specific Server Doesn't that mean you're creating a second RDP session from within your terminal services client? Does that work well? (I've run RealVNC from within MSTSC, and it's terrible, but that should come as no surprise because MSTSC isn't VNC-aware. I don't recall what happens when you nest MSTSC, though.) Isn't it more usual (in the corporate world) to encapsulate the whole thing in a VPN over a different port, and have the gateway forward that directly to the required (specific) server? Basically, it would be interesting to compare those methods...though in real life, I may have the rather more pressing problem of what to do when my cable or DSL provider decides to dynamically allocate a new IP, making me lose track of where my network exists at any given time. |
Re: Hacked
Quote:
|
Re: Hacked
Quote:
Remote Computer => The Internet (as low as 115kbps via cell phone up to say 30 or 40 megabit on a good cable connection or on campus) => my gateway => gigabit LAN => specific server => gigabit LAN => somewhere else on the network => gigabit LAN => somewhere else and so on and so forth. The big speed problem is in your internet connection, but once inside the LAN, RDC windows running inside of each other is absolutley no problem. I believe that the client is actually designed to do this (as it does it so seamlessly.) And regarding your 'dynamic IP'... Most cable providers give dynamic IPs based on MAC address, so as long as you are connecting to the cable network with the same modem, you will have the same IP.... always. DSL on the other hand :mad: gives you a new IP dynamically every time you reboot the connecting modem. How wonderful. Eric is TOTALLY on the ball as far as dyndns's service. It wonderful, as I used to use it before my cable provider started handing out 'static' IPs (yeah, I know, its not truely static, but its really really close.) You can use a bit of software to continuously report to dyndns your IP address. Awesome awesome stuff. Jacob |
Re: Hacked
And interestingly enough, DynDNS appears to be a FIRST team sponsor (for FRC501). I'll look into them....
|
Re: Hacked
DDNS:
http://www.EditDNS.net is another good dynamic DNS, it works with domains like abc.xyz Where abc is the Second level domain and xyz is the top level domain. Its free to use and alows control over the A, AAA, MX, NS, SRV, CNAME More advanced features cost $6 for 6 months access to setup, but once set you don't need to pay after the 6 months unless you need to change a more advanced feature. I use the free service with my self hosted web sites and it works great. Hosting: The company I work with uses host rocket to host theirs and their customers sites on. http://www.hostrocket.com/ They have 24/7 tech support (Actually called at 2am on Saturday) Misc: I haven't had much php or mySQL experience yet (I use SQL express and ASP.net 2.0), but would recomend making sure everything is up to date, and recheck all settings for any possible security holes. I have two dual Xeon 2.6GHz HT (Device manager shows 4 CPUs) servers each with 1GB of Ram, striping Raid on Data Drives (SCSI LVD), 250GB SAN Storage for backups, VPN/Firewall router between servers and Internet I used one of these servers to host the live web cast of PARC X. |
Re: Hacked
Just to prove that Jacob's suggestion works, I'm making this post on my university's Windows Server 2003 terminal server, connected over Remote Desktop to a Windows XP virtual machine, which is itself connected over Remote Desktop to a Windows 98 virtual machine. Both VMs are running locally on Windows Vista (no, I didn't nest those too). It all seems to work pretty well (if you can tolerate 8-bit colour).
|
Re: Hacked
Quote:
|
| All times are GMT -5. The time now is 01:17. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © Chief Delphi