Web Server Hacked
When I got a call from a potential renter asking if my web address was correct I wasn't too concerned until I went to my web site and saw that my home page had been replaced with a black page with big bold red letter that said : "F**ked by 7sign". The stars are my input the hacker used letters.
I've been running Snow Leopard on my Mac Mini Server for just shy of 3 years and this is the first intrusion I've experienced. Very distressing.
I called Apple Care as I still am covered under the AppleCare Protection plan for another couple of weeks. They were very solicitous but told me they could not help and they recommended I change all my passwords and contact a network specialist.
With that lack of help I decided to investigate myself. Here's what I found:
In searching my server I found that for 2 web sites that I host the "index.htm" files had been replaced, a txt file "Hei7.asp;.txt" had been added to my web folder, a text file "0bito.txt" had also been added. there also were some files beginning with "x." that had been added.
I checked Workgroup Manager and found accounts that I had not created.
I checked FTP and found Users I had not authorized with full control for read and write. Permissions I had not granted.
I check the logs based upon the date of the new "index.htm" file and found a couple of entries leading to an IP address that I couldn't track down.
I did a lot of reading on the web.
I deleted all the files that I thought were inserted. I brought back my index.htm files from my TimeMachine backup, I then changed permissions on those files and locked them, I deleted all unknown users from Workgroup manager, I disabled WebDav, I deleted all unknown users from ftp. I did this over a two day period. The first day after I found the attack some of the files I deleted were reinstalled. After I completed all of the above I've been free for a couple of days. I'm not running Firewall, I think that's my next step.
I'd love some advise about other steps I should take.