Questions tagged [hacking]
Hacking is the violation of server or network security via exploitation of weaknesses in that security.
483
questions
632
votes
13
answers
168k
views
How do I deal with a compromised server?
This is a Canonical Question about Server Security - Responding to Breach Events (Hacking)
See Also:
Tips for Securing a LAMP Server
Reinstall after a Root Compromise?
Canonical ...
74
votes
3
answers
153k
views
Block range of IP Addresses
I am getting bombarded with attempted hacks from China all with similar IPs.
How would I block the IP range with something like 116.10.191.* etc.
I am running Ubuntu Server 13.10.
The current line ...
73
votes
15
answers
55k
views
Should I respond to an "ethical hacker" who's requesting a bounty?
I run a small internet based business from home and make a living at it to feed my family, but I'm still a one man show and internet security is far from my area of expertise.
Yesterday I received two ...
58
votes
6
answers
6k
views
Reinstall after a Root Compromise?
After reading this question on a server compromise, I started to wonder why people continue to seem to believe that they can recover a compromised system using detection/cleanup tools, or by just ...
41
votes
11
answers
2k
views
Got Hacked. Want to understand how
Someone has, for the second time, appended a chunk of javascript to a site I help run. This javascript hijacks Google adsense, inserting their own account number, and sticking ads all over.
The ...
40
votes
10
answers
57k
views
How do I know if my Linux server has been hacked?
What are the tell-tale signs that a Linux server has been hacked? Are there any tools that can generate and email an audit report on a scheduled basis?
39
votes
7
answers
18k
views
How can I block hacking attempts targeting phpMyAdmin?
My website gets thousands of hits daily from different IPs trying to access:
/php-myadmin/
/myadmin/
/mysql/
...and thousands of other variations. None of these directories exist, I don't even have ...
31
votes
4
answers
8k
views
Weird SSH, Server security, I might have been hacked
I am not sure if I've been hacked or not.
I tried to log in through SSH and it wouldn't accept my password. Root login is disabled so I went to rescue and turned root login on and was able to log in ...
29
votes
1
answer
5k
views
How to do a post-mortem of a server hack
I have a Windows Server 2003 SP2 machine with IIS6, SQL Server 2005, MySQL 5 and PHP 4.3 installed on it. This is not a production machine, but it is exposed to the world via a domain name. Remote ...
27
votes
14
answers
5k
views
HELP! Production DB was SQL INJECTED! [duplicate]
Possible Duplicate:
My server's been hacked EMERGENCY
Geeze, I'm desperate! A few hours ago our production DB was sql-injected.
I know we have some big holes in the system... because we ...
25
votes
16
answers
10k
views
192.168.1.x more exploitable?
Our IT services firm is proposing a network reconfiguration to use the IP range 10.10.150.1 – 10.10.150.254 internally as they state the current IP scheme using manufacturer defaults of 192.168.1.x is ...
24
votes
3
answers
3k
views
What can be learned about a user from a failed SSH attempt?
What can be learned about a 'user' from a failed malicious SSH attempt?
User name entered (/var/log/secure)
Password entered (if configured, i.e. by using a PAM module)
Source IP address (/var/log/...
23
votes
4
answers
20k
views
Someone is trying to brute force SSH access to my server [duplicate]
By coincidence I looked at my servers ssh log (/var/log/auth.log) and I noticed that someone is constantly trying to gain access:
Sep 7 13:03:45 virt01 sshd[14674]: pam_unix(sshd:auth): ...
21
votes
6
answers
49k
views
Is this server hacked or just login attempts ? See log
Can someone tell what does this mean? I tried a command like lastb to see last user logins and I see some strange logins from China (server is EU, I am in EU). I was wondering if these could be login ...
21
votes
4
answers
12k
views
Nginx 400 errors due to random encoded string starting with "\x" from random IP addresses
I assume these are some sort of bots, but would like to know what are they trying to do to my server.
The logs in questions are below and the IP address has been changed from the original.
12.34.56....
18
votes
7
answers
9k
views
Should I bother to block these rather lame attempts at hacking my server?
I'm running a LAMP stack, with no phpMyAdmin (yes) installed. While poking through my Apache server logs I noticed things like:
66.184.178.58 - - [16/Mar/2010:13:27:59 +0800] "GET / HTTP/1.1" 200 ...
17
votes
9
answers
2k
views
How to Slow Down a Hacker
Some script kiddie in Delhi, India has been trying to hack our site since last night. He wrote a browser script that makes requests of our server in massive nested loops, trying everything under the ...
17
votes
3
answers
14k
views
How can I detect unwanted intrusions on my servers?
How are other admins monitoring their servers to detect any unauthorized access and/or hacking attempts? In a larger organization it's easier to throw people at the problem but in a smaller shop how ...
16
votes
11
answers
2k
views
Is there a standard method of proving password security to non-mathematicians?
My client has a server that is being subjected to brute-force login attempts from a botnet. Due to the vagaries of the server and the client's client, we can't easily block the attempts through a ...
15
votes
1
answer
4k
views
Potential hijacked SSH session & SSH best practices
I'm freaking out a little bit at the moment. I am SSHing into a remote server that I have recently commissioned. I'm doing this as root. I have installed fail2ban and had a massive amount of banned ...
15
votes
8
answers
6k
views
What are main steps doing forensic analysis of linux box after it was hacked?
What are main steps doing forensic analysis of linux box after it was hacked?
Lets say it is a generic linux server mail/web/database/ftp/ssh/samba. And it started sending spam, scanning other ...
14
votes
4
answers
14k
views
Can a virtual machine (VM) "hack" another VM running on the same physical machine?
Questions:
if a VM is corrupted (hacked), what do I risk on others VMs running on the same physical machine?
What kind of security issues is there between VMs running on the same physical host?
Is ...
14
votes
9
answers
9k
views
SSH server zero-day exploit - Suggestions to protect ourselves
According to the Internet Storm Center, there seems to be a SSH zero-day exploit out there.
There is some proof of concept code in here and some reference:
http://secer.org/hacktools/0day-openssh-...
14
votes
3
answers
10k
views
Stop China from connecting to my Google Compute Engine server
My company has a Google Compute Engine server hosted in North America. We get so many Chinese IP addresses sending requests to port 11 that it is costing us money for the ingress. Our firewall blocks ...
13
votes
10
answers
1k
views
What is the best way to gain access when the password is unknown?
If you were provided a computer running Windows 2000 or newer and you have no passwords, what method do you use to gain access with administrator privileges so you can use the system?
12
votes
12
answers
3k
views
Is it ethical to hack real systems? [closed]
Is it ethical to hack real systems owned by someone else? Not for profit, but to test your security knowledge and learn something new. I talk only about hacks, which does not make any damage to system,...
12
votes
11
answers
2k
views
Site hacked, looking for security advice [duplicate]
Possible Duplicate:
My server's been hacked EMERGENCY
Last weekend my company's site was hacked.
They did the nicest thing of doing that on a Friday evening so we only noticed the attack on ...
12
votes
8
answers
3k
views
is this a hack attempt?
Looking through my 404 logs I noticed the following two URLs, both of which occurred once:
/library.php=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ
and
...
12
votes
6
answers
8k
views
Should I report hacking attempts?
I am running a small (Windows-based) server. When I check the logs, I see a steady flow of (unsuccesfull) password-guessing hacking attempts. Should I try to report those attempts to the owners of the ...
12
votes
2
answers
2k
views
ubuntu 10.10 sshd contains "YOU WANNA SMOKE A SPLIFF" and pot leaf ascii art. Does this mean I've been hacked?
My sshd binary on an ubuntu 10.10 machine contains the following ascii artwork:
ng: %.100sToo many lines in environment file %sUser %.100s not allowed because %s exists YOU WANNA . ...
11
votes
7
answers
3k
views
Hacking prevention, forensics, auditing and counter measures
Recently (but it is also a recurrent question) we saw 3 interesting threads about hacking and security:
How do I deal with a compromised server?.
Finding how a hacked server was hacked
File ...
10
votes
5
answers
4k
views
How did Matasano get hacked?
from: http://seclists.org/fulldisclosure/2009/Jul/0388.html
If I understand it best from the posts from: http://news.ycombinator.com/item?id=723798 the Matasano guys left sshd internet accessible - ...
10
votes
6
answers
973
views
What are the attack vectors for passwords sent over http?
I am trying to convince a customer to pay for SSL for a web site that requires login. I want to make sure I correctly understand the major scenarios in which someone can see the passwords that are ...
10
votes
1
answer
1k
views
Security Wordpress on IIS hosted sites.
Since yesterday I,ve got strange things happening on one of my websites.
The index.php of my wordpress site on IIS changed from 1 kb to 80 KB. Also map.xml and sitemap.xml are new in the directory. ...
10
votes
2
answers
8k
views
My linux server was hacked. How do I find out how and when it was done?
I have a home server running a desktop ubuntu distribution. I found this in my crontab
* * * * * /home/username/ /.access.log/y2kupdate >/dev/null 2>&1
and when looking in that directory (...
9
votes
4
answers
15k
views
has my server been hacked w00tw00t.at.ISC.SANS.DFind
I'm quite sure my server's been hacked. I'm seeing these entries in my access log as the last two before a series of 500 error messages, It's related to the DB but I haven't found out the exact error ...
9
votes
2
answers
2k
views
Dissecting a website attack through a compromised FTP account
My site has been hacked and at this point, I know some details, but I'm at a loss at exactly how it happened or how to prevent it in the future. I need your help in trying to dissect the attack so ...
9
votes
5
answers
359
views
My site was recently attacked. What do I do?
This is a first for me. One of the sites I run was recently attacked. Not at all an intelligent attack - pure brute force - hit every page and every non-page with every extension possible. Posted ...
8
votes
3
answers
3k
views
Unsecured MySQL 'root'@'localhost' account accessed remotely?
A little background: We've just had our PBX system hacked. The server itself seems secure (no logged unauthorised console access - SSH etc), but somehow the hackers have managed to inject a new admin ...
7
votes
3
answers
770
views
What is the ip range of EC2
I'd like to setup a rule to block ssh request from EC2 since I've been seeing a large amount of ssh based attack from there and was wondering if anyone knew what their IP ranges are.
EDIT:
Thank you ...
7
votes
4
answers
374
views
Could/Should you be held liable for server vulnerabilities? [closed]
Is there precedent in North America or elsewhere where a server administrator was held accountable for leaving a server vulnerable?
For example, if there is a known exploit in IIS - Microsoft issue ...
7
votes
3
answers
4k
views
Could this server log mean my server is being used as a proxy?
I came across the following entry in my access.log:
58.218.199.147 - - [05/Jun/2012:12:56:04 +1000] "GET http://proxyproxys.com/ HTTP/1.1" 200 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5....
7
votes
2
answers
4k
views
Bypassing htaccess restrictions?
I found this in my apache access logs
access.log:555.555.555.555 - - [05/May/2011:12:12:21 -0400] "GET /somedir/ HTTP/1.1" 403 291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 ...
6
votes
4
answers
2k
views
My linux box has been hacked. Some files are undeletable even by root. How can I replace them?
An intruder tried to install a rootkit on my box. I want it back, before reinstallation.
How do I replace invalid files installed by the attacker?
I cannot chown or rm them.
It says "Operation not ...
6
votes
6
answers
3k
views
Attempted hack on VPS, how to protect in future, what were they trying to do? [duplicate]
UPDATE: They're still here. Help me stop or trap them!
Hi SF'ers,
I've just had someone hack one of my clients sites. They managed to get to change a file so that the checkout page on the site writes ...
6
votes
9
answers
2k
views
Is it worth hiring a hacker to perform some penetration testing on my servers? [closed]
I'm working in a small IT company with paranoid clients, so security has always been an important consideration to us. In the past, we've already mandated penetration testing from two independent ...
6
votes
7
answers
4k
views
How Could My Website Be Hacked
I wonder how this could happen. Someone deleted my index.php files from all my domains and puts his own index.php files with the next message:
Hacked by Z4i0n - Fatal Error - 2009
[Fatal Error ...
6
votes
7
answers
1k
views
Website hacked again
Final Update:
Things have been peaceful for the past few weeks and taught me much more about website security and risks. Here's my version of story -
I was using an older version of wordpress and ...
6
votes
1
answer
1k
views
Apache 2.4 log PHP command 200 success, but what is it doing? POST /?q=die('z!a'.'x'); etc
I am running a CentOS 7.x VPS with Apache 2.4.29 and PHP 7.0.28 and I started seeing the following in my logs. I have php.ini secured as best as I can from articles online for a while now, but I am ...
6
votes
5
answers
9k
views
.htaccess being hacked repeatedly [duplicate]
About 4 or 5 days ago, a client came back to me saying that their site was being redirected to some other suspicious looking website from Google, Yahoo, etc., but it was working fine when the user ...