Page 1 of 1

Hacked? How do I find out how?

Posted: Tue Jan 05, 2010 6:52 am
by shiznatix
Hey, long time no posting but I think you guys can help me

One of the websites I run recently got a nice bit of nasty javascript put on the index page. Now, I have no idea how this happened but I really would like to find out.

I don't think they could have guessed the password since it was just a random bunch of letters and numbers and symbols. The server has 3 websites running on it but only the 1 was affected. Its a dedicated box with just those 3 sites on it and I have root and all that jazz.

So, how do I start tracking down the hole? How can I even find out what IP made that change? Where do I start?

Re: Hacked? How do I find out how?

Posted: Tue Jan 05, 2010 8:20 am
by jason
You could always start with looking at logs, date/times for file changes, as well as checking the .bash_history (I think that's the files name). Granted, this might all be for nothing, but it's a start. Also, confirm that the JavaScript is indeed in the files, and not just included via some banner exchange thing. That's not that uncommon. That would be my first instinct.

Edit: Forgot to mention, I'd also start by changing my passwords, and getting a system admin to make sure the box isn't compromised.