Tracking hack attack on server

Question

Tracking hack attack on server

We had a server hack various websites on our server by defacing the index.html file with racist comments. It looks like there were two attacks, one hacker changed one file and just put his name and the index.html file's date was not altered. The other files were vulgar changes done over a two hour period making it look like they were doing the hacking by hand and not via a script. These files show the timestamp of the changes accurately. The logs show attempts to ssh over a period of hours with a combination of name and password combinations. Our name and password for admin access is very cryptic so I am not sure how they were able to get it. We want to know if there is any log that we can check that might help us track these hackers. The logs files look to have been altered, but I am hoping they missed something.

Power Mac G4 1GHz, Mac OS X (10.4.3), has since been updated to 10.4.4

Posted on Jan 17, 2006 10:50 AM

Reply

Answer 1

Camelot

Level 9

58,593 points

Jan 17, 2006 7:05 PM in response to David Shauger1

A remote user doesn't have to use the admin username and password to get into your system. Any username and password will do. The admin account can have the stongest password in the world but if your 'joe' account has a password 'joe'... oh well.

As for tracking them down, various logs in /var/log should help, specifically /var/log/asl.log which records most activity, including logins (which you can also display using the last command. If you're lucky, and you can narrow down the timeline, this may highlight the account that was compromised and the source IP address of the hacker.

In the meantime, change every password of every user on the system, and consider implementing access control lists to restrict access to your web content to just the users that need it. If you're truly paranoid and think malicious software might have been installed, then reformat the entire machine and rebuild it.

Reply

Answer 2

Mar 7, 2006 6:17 AM in response to Camelot

I have since changed all the passwords and I also reconfigured the router to block all unnecessary ports which are now accessible only on local network or through a VPN connection. I recommend this to everyone as it also block all sorts of probing such as SMB connection attempts that can lower your server performance.

Reply