Re: [WEB SECURITY] Fwd: hi, need help

[Guillaume Vissian <guillaume@xxxxxxxxxxxxxx>]

Hi Dhiraj,

First of all as said by Mike Fratto you didn't give a lot fo information here,
however here are the steps to follow (those steps must work on nearly every situation)
If you are on a fully hosted evironment (with only ftp and http access) you have to call
your hosting provider and ask them to follow those steps, cracking is a crime, if they don't follow
those steps they might be prosecuted (for evidence destruction).

1- Disconnect the server (if possible)
2- Make a disk bit per bit copy (dd command in linux) for future evidence research
3- check with a hash that the copy is correct, have somebody to confirm this
4- If possible (if the website is hosted by a third person they MUST do this step) disconnect the
hard drive to get evidence later.
5- The intrusion has probably occured through a simple SQL injection somewhere on your site so get the backup of your webserver and check for any possible way to execute such attack, if you don't have the ressource internally call a penetration testing company
6- Once the files have been patched, reinstalled completely the system and follow the relevant hardening guide
7- Done you are back online, now contact the police or a company which is able to perform forensic analysis (police services are relatively busy) so all your money lost might be reimburse ...

Good luck
Guillaume Vissian 



Mike Fratto a écrit :
> Snarky comments aside, Dhiraj, there isn't much information to work
> from. Do you one the computer or are you on a shared host? What
> software are you using like word press, Drupal, or something you
> wrote? Can you update the server or web application software? Did they
> steal your password? No body knows.
>
> Here are some thoughts on next steps.
>
> Take the site off-line by disconnecting it from the network if you
> can, turning off all services like HTTP, FTP, etc, if you can't can't
> take if off the network, or if you are on a shared host, remove your
> web application entirely (archive it, save it) and replace it with
> just a plain HTML page.
>
> I am going to assume that if you are using a web app like WordPress or
> Drupal, you can try, if you have the skills, to figure out what
> happened by pouring over the source.  Or to get your site back up,
> reinstall your web application and patch it up to the most current
> version. Be sure to read any security bulletins. Then restore your
> data.
>
> If you wrote the code that runs your app in something like PHP or
> ruby, well, you will have to figure out what broke and then fix it. I
> would suggest you trot on over to OWASP and do some reading, in any
> event. http://www.owasp.org/index.php/Category:How_To
>
> mike
>
>
>
> On Thu, Nov 13, 2008 at 3:52 AM, Dhiraj Mahajan
> <dhirajsmahajan@xxxxxxxxx> wrote:
>   
> > some hacker has hacked my website. (displaying hacked by turkish
> > hacker), now wht shld i do to retrieve my
> > original website. so please guide me how to get rid of tht
> >
> > --
> >
> >
> > Thanks & Regards,
> >
> >
> > Dhiraj S Mahajan,
> >
> >
> >
> > --
> >
> >
> > Thanks & Regards,
> >
> >
> > Dhiraj S Mahajan,
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >
> >     
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>   


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA