Topic: Hmm so a friend's corporate website was hacked.
Blayne Bradley
unregistered
posted
Probably shouldn't link to it but it was hacked by "r14ndoank" of the 'Darklist Crew' apparently an indonesian hacker group, how should the friend legally respond?
fnwinery.com is the site if your curious, but proceed at your own risk.
IP: Logged |
posted
Yeah, I wouldn't go there if I were anyone reading this site. There's some nasty javascript there. (Don't worry, I practiced safe browsing... )
Legally respond? Ha. Take the site down, restore the site from backups, fix the security holes, perhaps learn what security issue led to the compromise, and start over.
Without knowing more about the site architecture, I can't provide any more specific advice.
Posts: 1813 | Registered: Apr 2001
| IP: Logged |
posted
He doesn't really have a legal option. His main response needs to be technical and customer oriented: making it so the site is repaired, and can't be hacked again, as well as discovering what, if any, customer data was compromised and being honest and forthright about communicating that.
I assume he's in thorough contact with his ISP, who hopefully aren't incompetent/lazy.
At least some parts of his site weren't wiped out (the Shop subdirectory looks intact). Most likely the attack vector was either through a CMS vulnerability, or a particular form vulnerability. Using google cache, I can see they were using Joomla 1.5; if they hadn't kept up with the updates (1.5.22), that's the most likely vector. This is further supported by the Shop subdirectory, which I don't think was Joomla hosted, not being removed. He probably didn't have file system level access, just an upload vulnerability or somesuch (though index.php shouldn't have been writable by the webserver in a properly configured environment).
If he needs some help, have him compile a list of all extra modules he had installed with versions, along with which version of Joomla he had, and I can at least try to take a look on their vulnerabilities list (or he can, it isn't too hard to browse).
Posts: 15770 | Registered: Dec 2001
| IP: Logged |
Blayne Bradley
unregistered
posted
I'll let him know, though the friend is more of a go between but I'll try.
IP: Logged |
Blayne Bradley
unregistered
posted
Hmm, my wireless just dropped on me a minute ago;
quote: [LAN access from remote] from 66.249.71.148:57152 to 192.168.1.103:8080, Wednesday, January 26,2011 15:20:57 [LAN access from remote] from 66.249.71.148:44563 to 192.168.1.103:8080, Wednesday, January 26,2011 15:19:34 [LAN access from remote] from 66.249.71.148:60640 to 192.168.1.103:8080, Wednesday, January 26,2011 15:18:31
Log appears to have been cleared from before it got reset, is the above something I should be suspicious of or just google or something doing something routine?
IP: Logged |