Thread: Hacked
View Single Post
  #12   Spotlight this post!  
Unread 24-10-2007, 06:32
Timothy D. Ginn's Avatar
Timothy D. Ginn Timothy D. Ginn is offline
I check here maybe once a year.
no team
  
Join Date: Apr 2003
Rookie Year: 2002
Location: Port Perry, ON. Canada
Posts: 247
Timothy D. Ginn is a name known to allTimothy D. Ginn is a name known to allTimothy D. Ginn is a name known to allTimothy D. Ginn is a name known to allTimothy D. Ginn is a name known to allTimothy D. Ginn is a name known to all
Send a message via ICQ to Timothy D. Ginn Send a message via AIM to Timothy D. Ginn Send a message via MSN to Timothy D. Ginn Send a message via Yahoo to Timothy D. Ginn
Re: Hacked
I'm surprised that so far people have missed the obvious step of first looking at what you've got that you control before assuming that the problem is with the host (which it may well be, but, that shouldn't be the first thing to check for).

Questions you should ask yourself include:
What software do you have installed in your webspace? (check and make sure there aren't little temporary things installed just for testing that were never removed and never properly secured, this happens often)
Is it up to date? (this can especially be a problem if your team is using a CMS or old versions of phpBB2 or other forum software)
If what you've got is custom written, has it been checked over by someone knowledgable other than just the person who wrote it? If not, maybe it's time to audit it.
Assuming you have access to the web server access logs and error logs, read them carefully for the period of time before the last time you had problems. If the exploit is attacking something your team has control over, it's likely to appear strange and show up there. Be especially vigilant for things like phpShell and such which you don't recognize as being part of a normal type of request.
__________________
Alumni of FRC Team 1006
Former mentor of Full Lego Alchemist (FLL 5621) - Sempar School / Computing Students' Association of Queen's University