Site defaced - what next?

Greg Rundlett greg at freephile.com
Fri Aug 6 11:01:01 EDT 2004


My site was owned and defaced.  It looks like the mediawiki script that 
I recently installed to create a free-software community may have opened 
the 'door' to the site being compromised.  This is unconfirmed however.

With the little investigation that I've had time to do, it looks like 
the cracker may have used a wiki script that I have to open an 'image' 
or remote file that was actually a php script which in combination with 
allow_url_fopen would allow arbitrary code to be executed on the host.  
In turn, the 'image' (a shell creation script) was used to rewrite 
directories and files.  The homepage itself is just a plain (Microsoft 
Frontpage) htm file.

Anyway, there isn't a significant financial loss involved in this, it is 
more a nuisance since my site is informational.  But still, my question 
to the group is what if anything should be done to hunt down the 
script-kiddie who defaced the page.  Is there any regulatory body that 
ISP's report these incidents to?

I contacted my ISP, and I downloaded a copy of the site to do my own 
local forensic investigation.

ps. This is not in any way connected to running a CVS pserver -- an 
earlier thread discussed the vulnerabilities therein.

-- 
FREePHILE
We are 'Open' for Business
Free and Open Source Software
http://www.freephile.com
(978) 270-2425
If you are smart enough to know that you're not smart enough to be an
Engineer, then you're in Business.




More information about the gnhlug-discuss mailing list