Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 23, 2013, 01:07 AM   #1
Trona
macrumors newbie
 
Join Date: Jan 2013
Location: Bay Area
Hacked by someone known as "Fatal Error"

A couple of sites I host on a Snow Leopard Server got hacked and they replaced the index page with one of their own. I cleaned it up and the came back and left a page that said something like, "Fatal Error ownz you !"

I had left an open vnc connection to the machine over the internet and I suspect this is the means they used to gain access to the machine. I replaced the damaged files and shut off remote management and control.

Anyone have experience with this? Anything else I should do? Running a Clamav scan right now on the whole machine to see if they left anything behind. No real damage, but it's a pain in the butt. Any help is welcome.
Trona is offline   0 Reply With Quote
Old Jan 23, 2013, 01:11 AM   #2
throAU
macrumors 68030
 
Join Date: Feb 2012
Location: Perth, Western Australia
Wipe
reinstall
Ensure your OS is patched
Restore from backup

Close the whole they used to get in (VNC over the internet, are you serious?)


Just because no virus is picked up, it doesn't mean that they have not compromised the box's security in other ways.

Seriously, if you are owned, the only way to be sure is to wipe/reinstall/patch (before exposing to the internet) and restore (data only) from known clean backup.

Until you can verify the hole they used to exploit you (could be a web-app you are running and not specifically an OS problem) you will continue to get hacked (it's probably an automated scan and compromise tool, not even a human).

You will need to audit whatever you are exposing to the internet and close the holes, but VNC for a start is an extremely bad idea. That should be firewalled and not exposed to the internet, definitely.
__________________
MBP (early 2011) - Core i7 2720 2.2ghz, Hires Glossy, 16GB, Seagate Momentus XT 750GB
Mac Mini (mid 2007) - Core2 Duo 1.8, 2gb, 320gb 7200 rpm
iPhone 4S, iPad 4, iPad Mini, HTC One (eval)
throAU is offline   1 Reply With Quote
Old Jan 23, 2013, 01:19 AM   #3
justperry
macrumors 603
 
justperry's Avatar
 
Join Date: Aug 2007
Location: 7 Km South of an active upside down (boat) volcano.
Found this:

Quote:
A hacker, identified by his handle s4r4d0, got into the district web server and changed the coding on most of the pages to show a simple white webpage with the phrase, "Fatal Error ownz you ! by s4r4d0." The hacker is from Brazil.
That person, and at least one other, hack websites around the world under the group name Fatal Error, according to multiple posts made in internet forums related to hacking and fixing hacks.
s4r4d0 has posts on multiple hacking websites online claiming credit for numerous hacks, and states he or she has authored scripts - essentially a program that can change information in other programs - for several content management systems.
justperry is offline   0 Reply With Quote
Old Jan 27, 2013, 10:33 AM   #4
switon
macrumors 6502a
 
Join Date: Sep 2012
RE: VNC and VPN...

Hi Trona,

I'd like to make a suggestion, it is just my opinion, and it is free, so you get what you pay for it, but if I were you I would first VPN (encrypted) into my local LAN from the Internet and then run VNC from the VPN connection instead of opening VNC to the Internet. I believe this is much more secure as VPN requires strong authentication and does strong encryption, making the VNC traffic secure.

...just a suggestion...

Regards,
Switon
switon is offline   0 Reply With Quote
Old Jan 27, 2013, 03:29 PM   #5
hestepp
macrumors newbie
 
Join Date: Jan 2013
The same thing happened to me

I got an email from one of my employees about our website this morning. I'm running 10.6.8 server. I've cloned the hacked drive. I'm now reinstalling the OS.

Yesterday, I was working on it remotely over our VPN. The site was fine then. Sometime over night it was hacked. I have not had a chance to look at the logs.

It had been a while since, I updated firewall ports. I greatly reduced the number of exposed ports.

A google search seems to suggest that this is an old hack that affects Microsoft IIS servers. Some of the references date back to 2004. However, I can't find much info about the exploit itself.

I was planning on updating the server to 10.8 next weekend.

Also a terminal window open running a java command:

server:~ adminuser$ /System/Library/Frameworks/JavaVM.framework/Versions/A/Commands/java ; exit;

Last edited by hestepp; Jan 27, 2013 at 03:36 PM. Reason: Added more info.
hestepp is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
General: FIX "Error opening terminal: xterm-256color" for Terminal Commands (e.g., "top") iOS7 thelatinist Jailbreaks and iOS Hacks 9 Jan 10, 2014 08:46 PM
Open error 5:"Input/output error" hendeb OS X Mavericks (10.9) 0 Dec 5, 2013 06:01 PM
Has anyone hacked the 13.3" retina with a standard 1.8" ssd? macman34 MacBook Pro 4 Apr 15, 2013 04:20 PM
How i can fix "Wiki setting error" and "Running time error" ? Amethyst Mac OS X Server, Xserve, and Networking 0 Sep 2, 2012 02:34 PM
iOS restoring error "not eligible for requested build" - error source is Macbook elie.fares iOS 6 2 Jun 17, 2012 06:58 AM

Forum Jump

All times are GMT -5. The time now is 11:31 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC