Security against website defacement?

[MIDnightKAO]

My site recently got defaced, I had the front page and basic site backed up, but the forums were totally deleted. How did this happen? They cracked the password for the ftp I'm guessing. But how did they do that? And what can I do to prevent that?

Thanks.

[MIDnightKAO]

I'm sorry, just realized I posted this in the wrong place.

[Vorlin]

They could've used any number of tools to figure out your OS (nmap comes to mind), then grabbed a bunch of exploits for that OS, then got in through any number of methods and went from there. Once they get in as root, they can su to any user that has db access (like postgres which is the default created user for PostgreSQL databases) and from there it's simply easy to dropdb the databases, exit out, delete the user (userdel/etc), then as root, delete the files in any number of filesystems and then worse, remove the filesystems, then reboot the box.

But that's if someone's out for total system destruction. Doesn't sound like that's the case here. Sounds like they wanted to get in and muck with your web servers although I think they did get root because your webserver surely wouldn't be in control of your databases as well. Most defacers are out for public awareness (see www.thesmathers.com for where HIS site went, rofl) and not system destruction.

EDIT: hey man, who negged you? Check your AP center and find out why...you simply did nothing but apologize for an incorrectly-placed post of which didn't bother me that much...

[Tiger Shark]

For the Skiddie's benefit, I believe the proper thing to do if you have posted in an inappropriate forum is to PM a mod and ask them to move it for you.

Don't worry about it Midnight, his handle is a good reflection of his intellect.

[Negative]

MIDnightKAO > I moved your post, although the forum you had it in wasn't that bad a choice

[Lansing_Banda]

Midnight, were you hosting your page or was someone else?

If you weren't then who was?

If you were then what OS were you running, what version of apache, did you patch it, what other services where you running, were you firewalled, did you give someone your password.........

The easiest way to solve this kind of situation is to think to yourself "What would I do?"

[MIDnightKAO]

I use hostrocket for hosting. What does patching it mean? I'm pretty new to this so sorry for any inconvenience. lol.

Thanks for the replies.

[MIDnightKAO]

Isnt there a way I can allow only a certain IP to log into FTP or something like that?

[Spyder32]

If your sure that the person got in by guessing your FTP account's password (which your not) then make your password stronger. Change it and make it harder. Also, you say someone else is hosting your website? And speaking of the user who negged you, you could post his name here or you could alert Negative who it was and let him handle it.

[Soda_Popinsky]

A few questions:

Do you know how you were defaced?
Can you post the specifications of your hosting plan / server for us?
Do you use server side scripting of any sort?
What type of database if so?

What forum software did you use?

Are you familiar with SSH and does your host allow it?
Are you sure you aren't infected with any backdoors that would sniff your FTP password?
Have you run Site Digger from Foundstone on your website?