General discussion


Hacking Problems

By Michael34 ·
My question is I have a web host who is having some major problems with some sites that are getting hacked (he is running Fedora) however we have not been able to find out what site in specific it is that is being targeted. Can anyone give some advice on how we could track this site down? From what we can tell is someone is uploading something to the site giving them access to crash apache as it seams apache is the one that always goes down first.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Jaqui In reply to Hacking Problems

access log and error log.
the last entry when the server goes down in both should be to the same site.
that would be the site that is generating the problem.

Collapse -

by Michael34 In reply to Hacking Problems

An update is we were running Red Hat Enterpeise Edition now we switched to Fedora. From what I understand is the person is getting in from user: nobody at root so we are unclear on how they are going about doing this. Any idea's?

Collapse -

by BFilmFan In reply to Hacking Problems

What have you used to scan the server to check that you weren't rooted?

Collapse -

by lyon_bleu In reply to Hacking Problems

Although it is focused on tools specific to IIS,
a recent article in MS TechnetMagazine gives an
excellent overview of the strategies and
techniques used by a would-be hacker, most of
which are not platform-specific.



Collapse -

by jmgarvin In reply to Hacking Problems

1) Scan for root kits
2) It sounds like you should probably do the security standard stuff (change passwords, audit logs, etc)
3) What port(s) are they coming in on? What ports are open? Can you lock down ports? Lock it down and see if they can still get it.
4) Monitor your logins. Don't let root or nobody remote in.

Collapse -

by CXY In reply to Hacking Problems


Even though Apache is always down first, don't assume the attacker is attacking the Apache. He may have broken in via other services, such as FTP or DNS.

I suspect your server has been compromise using root kits and your attacker have already got access with root privileges.

Normally, in this situation, your files are also have been compromised, so that you can not trust normal utilities like ps or netstat to track the attacker.

I recommend you to move all the sites to a new fresh clean server. Yes, definitely will have downtime.

HOWEVER, TO TRACK the bad guy, this is what I did:
Copy files you need to track processes and network connection from RedHat CD. Then see all processes running and network services. See if you have open ports you don't remember ever open. From there you can track what program is listening for the connection and replace the program to see where the connection is coming from.

Collapse -

by Nico Baggus In reply to Hacking Problems

First make a backup image (not tar, raw backups,
preferably using dd, from the raw partitions,
using a live CD to a different system).

Then reinstall your OS & restore the data only.

Afterwards you can analyze the images from your
disks/partitions on a different system using
f.e. qemu/vmware and the various tools to do
postmortems. see also

kind regards,
Nico Baggus

Related Discussions

Related Forums