Hacked by someone known as "Fatal Error"

[Trona]

A couple of sites I host on a Snow Leopard Server got hacked and they replaced the index page with one of their own. I cleaned it up and the came back and left a page that said something like, "Fatal Error ownz you !"

I had left an open vnc connection to the machine over the internet and I suspect this is the means they used to gain access to the machine. I replaced the damaged files and shut off remote management and control.

Anyone have experience with this? Anything else I should do? Running a Clamav scan right now on the whole machine to see if they left anything behind. No real damage, but it's a pain in the butt. Any help is welcome.

 

[throAU]

Wipe
reinstall
Ensure your OS is patched
Restore from backup

Close the whole they used to get in (VNC over the internet, are you serious?)


Just because no virus is picked up, it doesn't mean that they have not compromised the box's security in other ways.

Seriously, if you are owned, the only way to be sure is to wipe/reinstall/patch (before exposing to the internet) and restore (data only) from known clean backup.

Until you can verify the hole they used to exploit you (could be a web-app you are running and not specifically an OS problem) you will continue to get hacked (it's probably an automated scan and compromise tool, not even a human).

You will need to audit whatever you are exposing to the internet and close the holes, but VNC for a start is an extremely bad idea. That should be firewalled and not exposed to the internet, definitely.

 

[justperry]

Found this:

A hacker, identified by his handle s4r4d0, got into the district web server and changed the coding on most of the pages to show a simple white webpage with the phrase, "Fatal Error ownz you ! by s4r4d0." The hacker is from Brazil.
That person, and at least one other, hack websites around the world under the group name Fatal Error, according to multiple posts made in internet forums related to hacking and fixing hacks.
s4r4d0 has posts on multiple hacking websites online claiming credit for numerous hacks, and states he or she has authored scripts - essentially a program that can change information in other programs - for several content management systems.

 

[switon]

RE: VNC and VPN...

Hi Trona,

I'd like to make a suggestion, it is just my opinion, and it is free, so you get what you pay for it, but if I were you I would first VPN (encrypted) into my local LAN from the Internet and then run VNC from the VPN connection instead of opening VNC to the Internet. I believe this is much more secure as VPN requires strong authentication and does strong encryption, making the VNC traffic secure.

...just a suggestion...

Regards,
Switon

 

[hestepp]

The same thing happened to me

I got an email from one of my employees about our website this morning. I'm running 10.6.8 server. I've cloned the hacked drive. I'm now reinstalling the OS.

Yesterday, I was working on it remotely over our VPN. The site was fine then. Sometime over night it was hacked. I have not had a chance to look at the logs.

It had been a while since, I updated firewall ports. I greatly reduced the number of exposed ports.

A google search seems to suggest that this is an old hack that affects Microsoft IIS servers. Some of the references date back to 2004. However, I can't find much info about the exploit itself.

I was planning on updating the server to 10.8 next weekend.

Also a terminal window open running a java command:

server:~ adminuser$ /System/Library/Frameworks/JavaVM.framework/Versions/A/Commands/java ; exit;