|Jan 23, 2013, 12:07 AM||#1|
Hacked by someone known as "Fatal Error"
A couple of sites I host on a Snow Leopard Server got hacked and they replaced the index page with one of their own. I cleaned it up and the came back and left a page that said something like, "Fatal Error ownz you !"
I had left an open vnc connection to the machine over the internet and I suspect this is the means they used to gain access to the machine. I replaced the damaged files and shut off remote management and control.
Anyone have experience with this? Anything else I should do? Running a Clamav scan right now on the whole machine to see if they left anything behind. No real damage, but it's a pain in the butt. Any help is welcome.
|Jan 23, 2013, 12:11 AM||#2|
Ensure your OS is patched
Restore from backup
Close the whole they used to get in (VNC over the internet, are you serious?)
Just because no virus is picked up, it doesn't mean that they have not compromised the box's security in other ways.
Seriously, if you are owned, the only way to be sure is to wipe/reinstall/patch (before exposing to the internet) and restore (data only) from known clean backup.
Until you can verify the hole they used to exploit you (could be a web-app you are running and not specifically an OS problem) you will continue to get hacked (it's probably an automated scan and compromise tool, not even a human).
You will need to audit whatever you are exposing to the internet and close the holes, but VNC for a start is an extremely bad idea. That should be firewalled and not exposed to the internet, definitely.
MBP (early 2011) - Core i7 2720 2.2ghz, Hires Glossy, 16GB, Seagate Momentus XT 750GB
Mac Mini (mid 2007) - Core2 Duo 1.8, 2gb, 320gb 7200 rpm
iPhone 4S, iPad 4
|Jan 23, 2013, 12:19 AM||#3|
|Jan 27, 2013, 09:33 AM||#4|
RE: VNC and VPN...
I'd like to make a suggestion, it is just my opinion, and it is free, so you get what you pay for it, but if I were you I would first VPN (encrypted) into my local LAN from the Internet and then run VNC from the VPN connection instead of opening VNC to the Internet. I believe this is much more secure as VPN requires strong authentication and does strong encryption, making the VNC traffic secure.
...just a suggestion...
|Jan 27, 2013, 02:29 PM||#5|
The same thing happened to me
I got an email from one of my employees about our website this morning. I'm running 10.6.8 server. I've cloned the hacked drive. I'm now reinstalling the OS.
Yesterday, I was working on it remotely over our VPN. The site was fine then. Sometime over night it was hacked. I have not had a chance to look at the logs.
It had been a while since, I updated firewall ports. I greatly reduced the number of exposed ports.
A google search seems to suggest that this is an old hack that affects Microsoft IIS servers. Some of the references date back to 2004. However, I can't find much info about the exploit itself.
I was planning on updating the server to 10.8 next weekend.
Also a terminal window open running a java command:
server:~ adminuser$ /System/Library/Frameworks/JavaVM.framework/Versions/A/Commands/java ; exit;
Last edited by hestepp; Jan 27, 2013 at 02:36 PM. Reason: Added more info.
|Thread Tools||Search this Thread|
All times are GMT -5. The time now is 06:09 AM.