Skip to main content

Questions tagged [hacking]

Hacking is the violation of server or network security via exploitation of weaknesses in that security.

Filter by
Sorted by
Tagged with
632 votes
13 answers
168k views

How do I deal with a compromised server?

This is a Canonical Question about Server Security - Responding to Breach Events (Hacking) See Also: Tips for Securing a LAMP Server Reinstall after a Root Compromise? Canonical ...
gunwin's user avatar
  • 6,420
74 votes
3 answers
153k views

Block range of IP Addresses

I am getting bombarded with attempted hacks from China all with similar IPs. How would I block the IP range with something like 116.10.191.* etc. I am running Ubuntu Server 13.10. The current line ...
Stephen Cioffi's user avatar
73 votes
15 answers
55k views

Should I respond to an "ethical hacker" who's requesting a bounty?

I run a small internet based business from home and make a living at it to feed my family, but I'm still a one man show and internet security is far from my area of expertise. Yesterday I received two ...
Vincent's user avatar
  • 818
58 votes
6 answers
6k views

Reinstall after a Root Compromise?

After reading this question on a server compromise, I started to wonder why people continue to seem to believe that they can recover a compromised system using detection/cleanup tools, or by just ...
Zoredache's user avatar
  • 132k
41 votes
11 answers
2k views

Got Hacked. Want to understand how

Someone has, for the second time, appended a chunk of javascript to a site I help run. This javascript hijacks Google adsense, inserting their own account number, and sticking ads all over. The ...
Lothar_Grimpsenbacher's user avatar
40 votes
10 answers
57k views

How do I know if my Linux server has been hacked?

What are the tell-tale signs that a Linux server has been hacked? Are there any tools that can generate and email an audit report on a scheduled basis?
cowgod's user avatar
  • 3,530
39 votes
7 answers
18k views

How can I block hacking attempts targeting phpMyAdmin?

My website gets thousands of hits daily from different IPs trying to access: /php-myadmin/ /myadmin/ /mysql/ ...and thousands of other variations. None of these directories exist, I don't even have ...
amba88's user avatar
  • 513
31 votes
4 answers
8k views

Weird SSH, Server security, I might have been hacked

I am not sure if I've been hacked or not. I tried to log in through SSH and it wouldn't accept my password. Root login is disabled so I went to rescue and turned root login on and was able to log in ...
PhysiOS's user avatar
  • 442
29 votes
1 answer
5k views

How to do a post-mortem of a server hack

I have a Windows Server 2003 SP2 machine with IIS6, SQL Server 2005, MySQL 5 and PHP 4.3 installed on it. This is not a production machine, but it is exposed to the world via a domain name. Remote ...
Chris's user avatar
  • 790
27 votes
14 answers
5k views

HELP! Production DB was SQL INJECTED! [duplicate]

Possible Duplicate: My server's been hacked EMERGENCY Geeze, I'm desperate! A few hours ago our production DB was sql-injected. I know we have some big holes in the system... because we ...
25 votes
16 answers
10k views

192.168.1.x more exploitable?

Our IT services firm is proposing a network reconfiguration to use the IP range 10.10.150.1 – 10.10.150.254 internally as they state the current IP scheme using manufacturer defaults of 192.168.1.x is ...
Michael Glenn's user avatar
24 votes
3 answers
3k views

What can be learned about a user from a failed SSH attempt?

What can be learned about a 'user' from a failed malicious SSH attempt? User name entered (/var/log/secure) Password entered (if configured, i.e. by using a PAM module) Source IP address (/var/log/...
Exbi's user avatar
  • 373
23 votes
4 answers
20k views

Someone is trying to brute force SSH access to my server [duplicate]

By coincidence I looked at my servers ssh log (/var/log/auth.log) and I noticed that someone is constantly trying to gain access: Sep 7 13:03:45 virt01 sshd[14674]: pam_unix(sshd:auth): ...
Vingtoft's user avatar
  • 1,597
21 votes
6 answers
49k views

Is this server hacked or just login attempts ? See log

Can someone tell what does this mean? I tried a command like lastb to see last user logins and I see some strange logins from China (server is EU, I am in EU). I was wondering if these could be login ...
adrianTNT's user avatar
  • 1,169
21 votes
4 answers
12k views

Nginx 400 errors due to random encoded string starting with "\x" from random IP addresses

I assume these are some sort of bots, but would like to know what are they trying to do to my server. The logs in questions are below and the IP address has been changed from the original. 12.34.56....
adnans's user avatar
  • 313
18 votes
7 answers
9k views

Should I bother to block these rather lame attempts at hacking my server?

I'm running a LAMP stack, with no phpMyAdmin (yes) installed. While poking through my Apache server logs I noticed things like: 66.184.178.58 - - [16/Mar/2010:13:27:59 +0800] "GET / HTTP/1.1" 200 ...
Journeyman Geek's user avatar
17 votes
9 answers
2k views

How to Slow Down a Hacker

Some script kiddie in Delhi, India has been trying to hack our site since last night. He wrote a browser script that makes requests of our server in massive nested loops, trying everything under the ...
Flipster's user avatar
  • 271
17 votes
3 answers
14k views

How can I detect unwanted intrusions on my servers?

How are other admins monitoring their servers to detect any unauthorized access and/or hacking attempts? In a larger organization it's easier to throw people at the problem but in a smaller shop how ...
Paul Mrozowski's user avatar
16 votes
11 answers
2k views

Is there a standard method of proving password security to non-mathematicians?

My client has a server that is being subjected to brute-force login attempts from a botnet. Due to the vagaries of the server and the client's client, we can't easily block the attempts through a ...
Porks's user avatar
  • 163
15 votes
1 answer
4k views

Potential hijacked SSH session & SSH best practices

I'm freaking out a little bit at the moment. I am SSHing into a remote server that I have recently commissioned. I'm doing this as root. I have installed fail2ban and had a massive amount of banned ...
MarMan29's user avatar
  • 343
15 votes
8 answers
6k views

What are main steps doing forensic analysis of linux box after it was hacked?

What are main steps doing forensic analysis of linux box after it was hacked? Lets say it is a generic linux server mail/web/database/ftp/ssh/samba. And it started sending spam, scanning other ...
Kazimieras Aliulis's user avatar
14 votes
4 answers
14k views

Can a virtual machine (VM) "hack" another VM running on the same physical machine?

Questions: if a VM is corrupted (hacked), what do I risk on others VMs running on the same physical machine? What kind of security issues is there between VMs running on the same physical host? Is ...
Totor's user avatar
  • 3,018
14 votes
9 answers
9k views

SSH server zero-day exploit - Suggestions to protect ourselves

According to the Internet Storm Center, there seems to be a SSH zero-day exploit out there. There is some proof of concept code in here and some reference: http://secer.org/hacktools/0day-openssh-...
sucuri's user avatar
  • 2,887
14 votes
3 answers
10k views

Stop China from connecting to my Google Compute Engine server

My company has a Google Compute Engine server hosted in North America. We get so many Chinese IP addresses sending requests to port 11 that it is costing us money for the ingress. Our firewall blocks ...
josh123a123's user avatar
13 votes
10 answers
1k views

What is the best way to gain access when the password is unknown?

If you were provided a computer running Windows 2000 or newer and you have no passwords, what method do you use to gain access with administrator privileges so you can use the system?
spoulson's user avatar
  • 2,183
12 votes
12 answers
3k views

Is it ethical to hack real systems? [closed]

Is it ethical to hack real systems owned by someone else? Not for profit, but to test your security knowledge and learn something new. I talk only about hacks, which does not make any damage to system,...
12 votes
11 answers
2k views

Site hacked, looking for security advice [duplicate]

Possible Duplicate: My server's been hacked EMERGENCY Last weekend my company's site was hacked. They did the nicest thing of doing that on a Friday evening so we only noticed the attack on ...
user avatar
12 votes
8 answers
3k views

is this a hack attempt?

Looking through my 404 logs I noticed the following two URLs, both of which occurred once: /library.php=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ and ...
Drew's user avatar
  • 661
12 votes
6 answers
8k views

Should I report hacking attempts?

I am running a small (Windows-based) server. When I check the logs, I see a steady flow of (unsuccesfull) password-guessing hacking attempts. Should I try to report those attempts to the owners of the ...
Mormegil's user avatar
  • 727
12 votes
2 answers
2k views

ubuntu 10.10 sshd contains "YOU WANNA SMOKE A SPLIFF" and pot leaf ascii art. Does this mean I've been hacked?

My sshd binary on an ubuntu 10.10 machine contains the following ascii artwork: ng: %.100sToo many lines in environment file %sUser %.100s not allowed because %s exists YOU WANNA . ...
Josh Knauer's user avatar
11 votes
7 answers
3k views

Hacking prevention, forensics, auditing and counter measures

Recently (but it is also a recurrent question) we saw 3 interesting threads about hacking and security: How do I deal with a compromised server?. Finding how a hacked server was hacked File ...
tmow's user avatar
  • 1,227
10 votes
5 answers
4k views

How did Matasano get hacked?

from: http://seclists.org/fulldisclosure/2009/Jul/0388.html If I understand it best from the posts from: http://news.ycombinator.com/item?id=723798 the Matasano guys left sshd internet accessible - ...
user14898's user avatar
  • 225
10 votes
6 answers
973 views

What are the attack vectors for passwords sent over http?

I am trying to convince a customer to pay for SSL for a web site that requires login. I want to make sure I correctly understand the major scenarios in which someone can see the passwords that are ...
KevinM's user avatar
  • 203
10 votes
1 answer
1k views

Security Wordpress on IIS hosted sites.

Since yesterday I,ve got strange things happening on one of my websites. The index.php of my wordpress site on IIS changed from 1 kb to 80 KB. Also map.xml and sitemap.xml are new in the directory. ...
Lt Lev's user avatar
  • 101
10 votes
2 answers
8k views

My linux server was hacked. How do I find out how and when it was done?

I have a home server running a desktop ubuntu distribution. I found this in my crontab * * * * * /home/username/ /.access.log/y2kupdate >/dev/null 2>&1 and when looking in that directory (...
Jonatan Kallus's user avatar
9 votes
4 answers
15k views

has my server been hacked w00tw00t.at.ISC.SANS.DFind

I'm quite sure my server's been hacked. I'm seeing these entries in my access log as the last two before a series of 500 error messages, It's related to the DB but I haven't found out the exact error ...
Jakob's user avatar
  • 201
9 votes
2 answers
2k views

Dissecting a website attack through a compromised FTP account

My site has been hacked and at this point, I know some details, but I'm at a loss at exactly how it happened or how to prevent it in the future. I need your help in trying to dissect the attack so ...
Dear Abby's user avatar
9 votes
5 answers
359 views

My site was recently attacked. What do I do?

This is a first for me. One of the sites I run was recently attacked. Not at all an intelligent attack - pure brute force - hit every page and every non-page with every extension possible. Posted ...
chrishomer's user avatar
8 votes
3 answers
3k views

Unsecured MySQL 'root'@'localhost' account accessed remotely?

A little background: We've just had our PBX system hacked. The server itself seems secure (no logged unauthorised console access - SSH etc), but somehow the hackers have managed to inject a new admin ...
TFk's user avatar
  • 83
7 votes
3 answers
770 views

What is the ip range of EC2

I'd like to setup a rule to block ssh request from EC2 since I've been seeing a large amount of ssh based attack from there and was wondering if anyone knew what their IP ranges are. EDIT: Thank you ...
Nicolas Kassis's user avatar
7 votes
4 answers
374 views

Could/Should you be held liable for server vulnerabilities? [closed]

Is there precedent in North America or elsewhere where a server administrator was held accountable for leaving a server vulnerable? For example, if there is a known exploit in IIS - Microsoft issue ...
jfrobishow's user avatar
7 votes
3 answers
4k views

Could this server log mean my server is being used as a proxy?

I came across the following entry in my access.log: 58.218.199.147 - - [05/Jun/2012:12:56:04 +1000] "GET http://proxyproxys.com/ HTTP/1.1" 200 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5....
So Over It's user avatar
7 votes
2 answers
4k views

Bypassing htaccess restrictions?

I found this in my apache access logs access.log:555.555.555.555 - - [05/May/2011:12:12:21 -0400] "GET /somedir/ HTTP/1.1" 403 291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 ...
Hrvoje Špoljar's user avatar
6 votes
4 answers
2k views

My linux box has been hacked. Some files are undeletable even by root. How can I replace them?

An intruder tried to install a rootkit on my box. I want it back, before reinstallation. How do I replace invalid files installed by the attacker? I cannot chown or rm them. It says "Operation not ...
silviot's user avatar
  • 291
6 votes
6 answers
3k views

Attempted hack on VPS, how to protect in future, what were they trying to do? [duplicate]

UPDATE: They're still here. Help me stop or trap them! Hi SF'ers, I've just had someone hack one of my clients sites. They managed to get to change a file so that the checkout page on the site writes ...
Moin Zaman's user avatar
6 votes
9 answers
2k views

Is it worth hiring a hacker to perform some penetration testing on my servers? [closed]

I'm working in a small IT company with paranoid clients, so security has always been an important consideration to us. In the past, we've already mandated penetration testing from two independent ...
Brann's user avatar
  • 630
6 votes
7 answers
4k views

How Could My Website Be Hacked

I wonder how this could happen. Someone deleted my index.php files from all my domains and puts his own index.php files with the next message: Hacked by Z4i0n - Fatal Error - 2009 [Fatal Error ...
kiewic's user avatar
  • 175
6 votes
7 answers
1k views

Website hacked again

Final Update: Things have been peaceful for the past few weeks and taught me much more about website security and risks. Here's my version of story - I was using an older version of wordpress and ...
Arpit Tambi's user avatar
6 votes
1 answer
1k views

Apache 2.4 log PHP command 200 success, but what is it doing? POST /?q=die('z!a'.'x'); etc

I am running a CentOS 7.x VPS with Apache 2.4.29 and PHP 7.0.28 and I started seeing the following in my logs. I have php.ini secured as best as I can from articles online for a while now, but I am ...
Tim's user avatar
  • 203
6 votes
5 answers
9k views

.htaccess being hacked repeatedly [duplicate]

About 4 or 5 days ago, a client came back to me saying that their site was being redirected to some other suspicious looking website from Google, Yahoo, etc., but it was working fine when the user ...
Aditya M P's user avatar

1
2 3 4 5
10