Hacked by someone known as "Fatal Error"

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Trona, Jan 22, 2013.

  1. Trona macrumors newbie

    Jan 22, 2013
    Bay Area
    A couple of sites I host on a Snow Leopard Server got hacked and they replaced the index page with one of their own. I cleaned it up and the came back and left a page that said something like, "Fatal Error ownz you !"

    I had left an open vnc connection to the machine over the internet and I suspect this is the means they used to gain access to the machine. I replaced the damaged files and shut off remote management and control.

    Anyone have experience with this? Anything else I should do? Running a Clamav scan right now on the whole machine to see if they left anything behind. No real damage, but it's a pain in the butt. Any help is welcome.
  2. throAU macrumors 603


    Feb 13, 2012
    Perth, Western Australia
    Ensure your OS is patched
    Restore from backup

    Close the whole they used to get in (VNC over the internet, are you serious?)

    Just because no virus is picked up, it doesn't mean that they have not compromised the box's security in other ways.

    Seriously, if you are owned, the only way to be sure is to wipe/reinstall/patch (before exposing to the internet) and restore (data only) from known clean backup.

    Until you can verify the hole they used to exploit you (could be a web-app you are running and not specifically an OS problem) you will continue to get hacked (it's probably an automated scan and compromise tool, not even a human).

    You will need to audit whatever you are exposing to the internet and close the holes, but VNC for a start is an extremely bad idea. That should be firewalled and not exposed to the internet, definitely.
  3. justperry macrumors G3


    Aug 10, 2007
    In the core of a black hole.
    Found this:

  4. switon macrumors 6502a

    Sep 10, 2012
    RE: VNC and VPN...

    Hi Trona,

    I'd like to make a suggestion, it is just my opinion, and it is free, so you get what you pay for it, but if I were you I would first VPN (encrypted) into my local LAN from the Internet and then run VNC from the VPN connection instead of opening VNC to the Internet. I believe this is much more secure as VPN requires strong authentication and does strong encryption, making the VNC traffic secure.

    ...just a suggestion...

  5. hestepp, Jan 27, 2013
    Last edited: Jan 27, 2013

    hestepp macrumors newbie

    Jan 27, 2013
    The same thing happened to me

    I got an email from one of my employees about our website this morning. I'm running 10.6.8 server. I've cloned the hacked drive. I'm now reinstalling the OS.

    Yesterday, I was working on it remotely over our VPN. The site was fine then. Sometime over night it was hacked. I have not had a chance to look at the logs.

    It had been a while since, I updated firewall ports. I greatly reduced the number of exposed ports.

    A google search seems to suggest that this is an old hack that affects Microsoft IIS servers. Some of the references date back to 2004. However, I can't find much info about the exploit itself.

    I was planning on updating the server to 10.8 next weekend.

    Also a terminal window open running a java command:

    server:~ adminuser$ /System/Library/Frameworks/JavaVM.framework/Versions/A/Commands/java ; exit;

Share This Page