Account hacked - need security audit now!

[sanfranciscohost]

Hi Everyone,

We have several domains that have been hacked on our reseller account. When we have had any strange events on any of our other servers we have hired a security company to come in and crawl around to see if we are patched and ok. With a reseller account we have no way of doing that.

So, what we need is someone, a company or person with a good reputation and knowledge of SQL injection to come and go through our accounts and tell us what happened and why.

Any recommendations, from another reseller or JodoHost themselves, will be much appreciated.

We only have one weeks worth of log files to go with and lots of database files that need looking at. 50 domains in all so please let us know what you think.

Jodo, if you provide this as a service where you can be billed for such a thing please let us know soonest. We are standing by.

Thanks for any help anyone can provide.

Deborah Smith
Server and Technical Support
San Francisco Host

 

[Stephen]

You may want to ask on ticket for this, in addition were all the domains in a single account or multiple accounts?

 

[sanfranciscohost]

Thanks for your reply Stephen.

Will Jodo be able to help us figure out what happened? We are willing to pay for an audit as we can't see further back than one week from the logs and we know that there are several domains that have been compromised as far back as early April of this year.

We need solid answers and we need them soon. Our clients need to be aware but we can't tell them anything until we know what happened.

What do I begin to say in the ticket? I spoke with Mohit in Chat and put in a ticket to get backups created for each domain but I am not sure what to do next to get some help.

The injection was used to create an iFrame in every single ASP file on one of our domains and we know others are also injected.

Can you define the difference between a single account or multiple accounts? We only have one reseller account with Jodo that has many domains under it.

Thanks for your help and guidance.

Deborah

 

[Stephen]

We can help, but if back to April there is no hope of a restore before then, no hope at all.

We can typically get more than 7 days of logs, but not always as well(backups, and other sources)

We can do a grep of the logs, but one critically important thing is a timestamp, we need to know when the major action happened or we will be aimlessly searching through many MB of logs without much indication or what happened.

SQL Injection may be the most likely cause of this, see the DB section here on the forums, and also the coding forums where there are ongoing discussions about them. This may mean restore is just a MSSQL DB away, but it may not.

 

[sanfranciscohost]

Thanks again Stephen.

We know the files that were modified and we can see some of the times stamps on them.

Will that help find what happened?

I will open a ticket but I am not sure where to start.

I will also take a look at the threads here.

Wish me luck!

Deborah

 

[Stephen]

yes time stamps will help immensely, it is very hard without.

If there are files modified on the serverside it sounds like a vulnerable upload script that allowed execution of asp/perl/php/asp.net defacement script if I were guessing.

 

[sanfranciscohost]

Is there a way to test a form on our clients website for the capability of an asp/perl/php/asp.net injection?

Can I test for that?

Two tickets put in with as much information as I have right now. I am a PHP/MySQL Unix geek so I am really not a windows smart sysadmin. Sorry for the vagueness!



Deborah

 

[sanfranciscohost]

What security measures are in place on the servers to help with this type of an attack?

Do we have a firewall? URLScan? Windows Defender?

Thanks!

Deborah

 

[Stephen]

Thees a firewall, but such is not what a happened to you, SQL injections don't change PAGE contents, only DB.

 

[sanfranciscohost]

I have a feeling that some of the pages were created with a CMS - which means they were dynamically created via a DB entry (after a login/pass type of thing)

Lots of CMS do this from a back end form type of entry point.

Otherwise it has to be a password compromise in order to change the contents of a page.

In the recent case it was an iframe put just above the ending point of an ASP file. After the closing <html> tag, and at the very very bottom of each file in the hacked domain.

It would take quite awhile to hack 158 files if it was all generated by hand, right?

Thanks for your input.

Deborah

 

[Stephen]

I can almost guarantee you it wasn't created by hand It was some script that defaced

 

[dman]

Just found this post and though this response is late, I thought I'd provide a suggestion that has worked for my clients.

1. Subscribe to a service like ScanAlert/McAfee Secure
2. Use as security auditing tool. Some are very expensive like Acunetix or Cenzic. A free open source option that is pretty good is Nessus.