February 15th, 2004, 07:48 PM
Front page taken over by SimianS
The front page of the club that I work at has been replaced by some message by 'SimianS'. I can't read it (spanish?). I don't know who they are or why they took over our page. It's not a huge deal, the page is just a schedule for the New Paris Theatre (newparistheatre.com), but I'd like our web page back. What do I do?
February 15th, 2004, 07:51 PM
Off-hand I'd say log in and replace the pages. When I attempted to connect to newparistheatre.com and www.newparistheatere.com , I'm getting "page cannot be found". DNS Error?
As for "SimianS", most likely a "Defacement" group. It's likely you've done something like left permissions open for anyone to upload pages.
February 15th, 2004, 07:52 PM
Contact your server admin/company and tell them what has happened
February 15th, 2004, 07:54 PM
tell me you have backed up your site. please dont say that you have no other copies. If you do, just delete the current index.html and whatever other pages they changed and restore from your backups. scan for virii, my bet is that they may have put a backdoor in so they can come back later. also, check to see if they put any files on your server. after you havce it all restored, get all the patches and updates for your server and lockdown all services that aren't necessary. BTW, your link is working.
 damn, you guys really do type fast! [/edit]
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
February 15th, 2004, 07:58 PM
?? It is? You're able to get to the site?
BTW, your link is working.
February 15th, 2004, 08:05 PM
Thanks for the quick answers. If only our ISP were this quick (first place I went). Do these defacers target particular places or just search for loose security? I haven't been the webmaster for a while (boss found cheaper guy), I'm almost tempted to let him flail for a while but I'm a nice guy. I have a backup (and a backup for the backup) of my old page, hope new guy has one (hehe, might get the job back today). It sounds like this will be pretty simple to fix. Where should I go to learn how to tighten up the security? Thanks again for the help.
February 15th, 2004, 08:10 PM
Depends on their goal. For the most part, IMHO, defacers just choose the easiest targets. So they look for server(s) that have vulnerabilities they can exploit.
Some of the things you can do to tighten up security:
- speak to your ISP and ask how up to date they are and what their procedures are for something like this (how do they deal with it). If they can't give you an answer you're comfortable with, look for another place (cheaper is not necessarily better)
- ensure that the permissions for your directory are at the strictest while allowing viewability/useability. Often people allow everyone to have the ability to peruse directories, upload to directories and delete directories. Not a good option. If you're using *nix, permissions should be set -- for directories -- to 711. It's been a while since I've touched a Windows Web server but really, all you'd need is Execute and Read options (IIRC) for Windows.
- Always have backups. Something will go wrong when you least expect it. Your webmaster should have backups if it's been recently altered. You can do some creative recovery with Google if you get desperate.
February 15th, 2004, 08:26 PM
So it's pretty much graffiti? I don't think we've pissed anybody off, but you never know. I can get to the page if I use the homepage button but not if I type in the URL. I switched to Opera and am avoiding it now. My knowledge of security is limited to my pc and what I learned at Gibson Research Corp. page. Their scans said my computer was invisible to the web. Can nasties be recieved simply by opening a page (cookie)? I've read things that hint at it, but no real answers.
February 15th, 2004, 08:31 PM
Yup. Most like it was just because the server was vulnerable. If it was against you or the company personally, you'd see a message reflecting that.
So it's pretty much graffiti?
Yup. Browser hijacking is far more common than people realize. Simply going through some of the threads in the Adware/Spyware forum will show you that. In fact, one "phish" (a technique to get or "fish" out information from users) I saw today has a website that forcibly downloads a java app to the user's machine when they view java. The app, AFAIK, actually takes cookie information and sends it to a specific email address. Never assume anything is secure, even if "GRC" says it is. There is always a way in. The question is do you know it?
Can nasties be recieved simply by opening a page (cookie)? I've read things that hint at it, but no real answers.
You might want to visit your local library or bookstore and check out their computer security section(s). Books like Hacking Exposed, HackerProof, etc. all give an idea of what the risks are.
February 15th, 2004, 08:40 PM
I think I'll grab one of those books. Can things like the forced java routine get sensitive info like passwords, or just hijack the browser? Does adaware catch these?