Web Server Hacked

Question

Web Server Hacked

When I got a call from a potential renter asking if my web address was correct I wasn't too concerned until I went to my web site and saw that my home page had been replaced with a black page with big bold red letter that said : "F**ked by 7sign". The stars are my input the hacker used letters.

I've been running Snow Leopard on my Mac Mini Server for just shy of 3 years and this is the first intrusion I've experienced. Very distressing.

I called Apple Care as I still am covered under the AppleCare Protection plan for another couple of weeks. They were very solicitous but told me they could not help and they recommended I change all my passwords and contact a network specialist.

With that lack of help I decided to investigate myself. Here's what I found:

In searching my server I found that for 2 web sites that I host the "index.htm" files had been replaced, a txt file "Hei7.asp;.txt" had been added to my web folder, a text file "0bito.txt" had also been added. there also were some files beginning with "x." that had been added.

I checked Workgroup Manager and found accounts that I had not created.

I checked FTP and found Users I had not authorized with full control for read and write. Permissions I had not granted.

I check the logs based upon the date of the new "index.htm" file and found a couple of entries leading to an IP address that I couldn't track down.

I did a lot of reading on the web.

I deleted all the files that I thought were inserted. I brought back my index.htm files from my TimeMachine backup, I then changed permissions on those files and locked them, I deleted all unknown users from Workgroup manager, I disabled WebDav, I deleted all unknown users from ftp. I did this over a two day period. The first day after I found the attack some of the files I deleted were reinstalled. After I completed all of the above I've been free for a couple of days. I'm not running Firewall, I think that's my next step.

I'd love some advise about other steps I should take.

Posted on Jun 27, 2014 7:47 AM

Reply

Answer 1

Best reply

MlchaelLAX

Level 4

2,286 points

Jun 27, 2014 4:07 PM in response to Jon Davidson1

I am not an expert on internet security (although I do play one on Television! 😁), but I see that no one else has responded to you yet. Hopefully others with more experience will do likewise.

Safari for Snow Leopard maxes out at version 5.1.10. To gain the additional security features available to Safari in version 6, you must upgrade to Lion or the new Mavericks (which I believe has a server version), if your Mac Mini is new enough and has enough RAM to handle Mavericks. If you are not using the Mac Mini for any other purpose this could be a better plan for internet security. BE SURE TO BACKUP OR CLONE your Snow Leopard environment.

Also, you should consider partitioning your hard drive (or add an external drive) and install Mavericks Server there, so that you can dual-boot (System Preferences:Startup Disk) into either flavor of OS X as needed.

Otherwise in Snow Leopard you should consider using a browser that has more security features available to it, such as Chrome.

Reply

Answer 2

MlchaelLAX

Level 4

2,286 points

Jun 27, 2014 4:07 PM in response to MlchaelLAX

I am presuming that you are using Safari for one or more purposes on this Mac.

Reply

Answer 3

Jun 27, 2014 4:08 PM in response to MlchaelLAX

I did not have a clue that Safari was vulnerable to attacks. Any idea how they gain access to the server thru Safari?

Reply

Answer 4

MlchaelLAX

Level 4

2,286 points

Jun 27, 2014 4:11 PM in response to Jon Davidson1

No, I personally never use Snow Leopard for internet purposes. I always use Lion for those purposes and Snow Leopard only when I need access to Rosetta for PowerPC apps.

Reply

Answer 5

MlchaelLAX

Level 4

2,286 points

Jun 27, 2014 4:13 PM in response to MlchaelLAX

Try Googling these keywords: Safari Internet Attack vulnerablility.

I did that Google and up came this article which indicates there are updates to both Safari 6 and there is now a Safari 7!

http://thehackernews.com/2014/04/update-your-safari-browser-to-patch-two.html

Remember the vulnerability is using Safari in Snow Leopard.

Reply

Answer 6

thomas_r.

Level 7

31,989 points

Jun 27, 2014 5:22 PM in response to Jon Davidson1

It sounds like you're running a web server on that Mac, and that the web server got hacked... the version of Safari on the affected machine would not have any role in that, unless you are possibly using Safari to visit websites on your server machine, which would not be advisable. I think that it's unlikely this hack would have occurred through a Safari vulnerability, and I don't actually think there's a vulnerability that would allow this sort of thing in that version of Safari anyway.

Most likely, the access was accomplished through some service you have open internet-wide on your Mac, and that is not properly secured. For example, if you're running an FTP server with weak passwords, it could have been hacked through a brute force attack. You are also running an insecure version of Apache, if you're running the version that comes preinstalled on Snow Leopard. There are many, many ways a web server can be hacked, depending on the software, configuration, etc.

Honestly, I would advise that you don't try to host websites on your Mac. Someone with security expertise could secure it properly, but someone who doesn't have that experience really shouldn't be running a web server. It doesn't cost that much for basic web hosting on a professional web host (I've seen as little as $5/month, plus the domain name registration), and then you have support as well as a server maintained securely by experts.

Reply