RE: [WEB SECURITY] Fwd: hi, need help

["White, Dain P" <dainw@xxxxxxx>]

Here is a procedure to follow:

1) take the server offline, and off the network

2) run around the office screaming and throwing stuff around. 

3) bring the backup files (you have those, right?) up on another machine
that is not network connected

4) scan the hacked box, patch the hacked box with all updates and
service packs, and turn off anonymous ftp, and any other service that
isn't needed. Especially anonymous FTP.

5) scream at the next person that tells you the site is offline, and go
get more coffee / tea

6) scan the backup server and check the backups you made (you did make
some, right?) 

7) While that scan is running, now is a good time to update your resume,
or review some of the recent applications you've received for the (soon
to be open position of) system administrator, if you are not the system
administrator.

8) research the hack, read as much as you can get about the defacement,
who did it and how they did it.

9) if you are lucky enough to find who did it, scream their name at the
sky for 10-15 seconds as long and drawn out as you can get, while
imagining all sorts of nasty outcomes for their immediate future.

10) look through the server logs to try and nail down exactly which one
of the many attempts were successful in getting control over your
server. Note the application or service that was unsecured, and who was
the brainiac that was to blame. If it was you, run around and scream
some more while coming up with a new positioning statement for the top
of your resume that starts with 'While I was employed recently as a
Server Administrator, I...'

11) Fix the hole, take the exploitable application offline, restore from
backup as much as you can, take a deep breath, and then go scream some
more (you should be quite hoarse by now, this is normal).

Good luck! 

~Dain


-----Original Message-----
From: Dhiraj Mahajan [mailto:dhirajsmahajan@xxxxxxxxx] 
Sent: Thursday, November 13, 2008 12:52 AM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Fwd: hi, need help

some hacker has hacked my website. (displaying hacked by turkish
hacker), now wht shld i do to retrieve my
original website. so please guide me how to get rid of tht

--


Thanks & Regards,


Dhiraj S Mahajan,



-- 


Thanks & Regards,


Dhiraj S Mahajan,

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA