Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

What to do after you've been hacked and recovered?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Dr. Jones
n00b
n00b


Joined: 11 Oct 2003
Posts: 14
Location: Golden, Colorado
PostPosted: Thu Apr 20, 2006 8:07 pm    Post subject: What to do after you've been hacked and recovered? Reply with quote
We had someone hack our forums yesterday. They created an acccount, used an exploit to elevate their access level to admin, then send an email to everyone registered for the forum providing a link to a trojan.

The link was hosted at a generic .biz domain that appears to be registered to a real person (In Az). Loading the .biz domain in a browser pulls up the default Fedora Apache2 page.

Is it worth contacting the owner of the domain? Is there any 'agency' or anything that you can fill out an incident report type thing?

Or, is it likely that the hacker put the trojan on the domain using some simple exploit (since it was configured with the defaults) and the most we can do is just fix what they broke, beef up security so it doesn't happen again, and move on.
_________________
Adopt an unanswered post today!
Back to top
View user's profile Send private message
DaveArb
Guru
Guru


Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
PostPosted: Thu Apr 20, 2006 8:16 pm    Post subject: Re: What to do after you've been hacked and recovered? Reply with quote
Dr. Jones wrote:
Is there any 'agency' or anything that you can fill out an incident report type thing?


I would notify the host of the domain (ISP if it isn't with a commercial host).

Whether the domain is knowingly hosting a trojan, or accidentally, it should be taken off. I wouldn't contact the domain's owner.
Back to top
View user's profile Send private message
Dr. Jones
n00b
n00b


Joined: 11 Oct 2003
Posts: 14
Location: Golden, Colorado
PostPosted: Thu Apr 20, 2006 8:29 pm    Post subject: Re: What to do after you've been hacked and recovered? Reply with quote
DaveArb wrote:
Dr. Jones wrote:
Is there any 'agency' or anything that you can fill out an incident report type thing?


I would notify the host of the domain (ISP if it isn't with a commercial host).

Whether the domain is knowingly hosting a trojan, or accidentally, it should be taken off. I wouldn't contact the domain's owner.


The domain is one of the generic traffic/search type domains with a .biz

The other reference from the whois listing of that domain is a .biz reference to a toolbar. It seems like the kind of domains set up by people who produce spyware type products.

Though, I guess notifying them doesn't really hurt.

Edit: Just looked and the trojan is a browswer hijacker type (CWS) thing. The domains listed seem exactly the kind of domains that would be associated with that kind of thing. Searching on google showed several domains that lead to the same IP as that server. Seems like the purpose of that domain is to host the trojan so they can install the browser hijacker. Not sure notifying them that it's there would do any good (or be possible since addresses listed for domains look real but are fake).
_________________
Adopt an unanswered post today!
Back to top
View user's profile Send private message
DaveArb
Guru
Guru


Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
PostPosted: Fri Apr 21, 2006 2:30 am    Post subject: Re: What to do after you've been hacked and recovered? Reply with quote
Dr. Jones wrote:
The domain is one of the generic traffic/search type domains with a .biz


Right, but the question is, who hosts it? There's always an upstream.

For example, here's a local company who is certainly not in the spamming or trojan business (they make neat woodworking goodies): www.incra.biz . Looking up the A record for their domain, I see that they are at 208.39.186.182. Then I go to ARIN (www.arin.net) and look up whois on that IP, and find that it belongs to ACS Edgewebhosting.net in Maryland. In your case, I'd then Google for these guys' reputation. If good, they are the ones to send a LART request to. If bad, I move one more upstream and notify Comcast (probably a loser idea, but it would make me feel like a good netizen.)

Dave
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy