Hacking problem on our website...neverevernosanity webworm generation 13

http:// www.paxbaculum.com | 12/20/04 | armedanddangerous

[Armedanddangerous]

Some friends and I have operated a self defense survival and conservatism website called www.paxbaculum.com .

This afternoon someone apparently took control of it with a worm called neverevernosanity webworm generation 13.

[Armedanddangerous]

This afternoon someone apparently took control of it with a worm called neverevernosanity webworm generation 13. Is anyone familiar with this webworm, where it came from, how the hacker might have used it or how we can get it off there?

Any way to trace it back to the person who sent the webworm? We are fairly certain we know who did it. It's just proving it..

[shellshocked]

not too much of a problem. What is the IP address that was connecting?

[Armedanddangerous]

My partner in another state has that information..and is working with the provider to get it back on line. I just wanyt to try and figure out how they got us and make sure it doesnt happen again.

[Abcdefg]

Install ZoneAlarm and it will tell you what IP the trojan is trying to contact. Of course, it may be an innocent party's PC they have installed a "zombie" on.

[Prime Choice]

First things first. Please answer these questions:

1. What is the OS of your site?
2. What services run on the system?
3. Do you use FrontPage, PHP or similar services on your web server?
4. How do you know your system was taken over by a worm (rather than an anklebiting scriptkiddy)?
5. What is the OS of your workstations that you use to access your server?
6. Do you have minimal safety measures on your workstation (personal firewall, current anti-virus programs, anti-spyware programs)?

Once we get some answers, we can start narrowing down the vector of the attack against your site.

[TomGuy]

That worm hit other websites, too.

I was trying to access one business website and it showed that it had been attacked. The owners took the site down and they still haven't got it back up and running.

[RedBloodedAmerican]

Run command netstat -an ?

[Prime Choice]

Run command netstat -an?

Results are questionable in the event of an intrusion unless one is using a statically-compiled binary on read-only media.

[Prime Choice]

That worm hit other websites, too.

Which sites? There have been no such reports on any computer and network security lists that I'm on.

[RedBloodedAmerican]

Well if they arent at the server themselves then they could probably see their site domain hosts stats to see who was there.

[Wiz]

If you have your own server, get Zone Alarm Fire Wall (with Visual Zone for non-Pro version), Linksys NAT router, Kaspersky Anti Virus, and an IDS (packet tracker).

[Splatter]

Reported here? http://www.us-cert.gov/current/current_activity.html

[Wiz]

For anti Spyware, get SpyBot or AdAware. Those are the best known and reliable products.

[Prime Choice]

Let's hope that their provider had some kind of network IDS logging in place. Considering the damage in play, I kind of doubt it, though...

[Splatter]

Here is a new one (2 me).. http://www.securityfocus.com/bid/11981

[Prime Choice]

If you have your own server, get Zone Alarm Fire Wall (with Visual Zone for non-Pro version), Linksys NAT router, Kaspersky Anti Virus, and an IDS (packet tracker).

ZoneAlarm is for workstations, not servers. A NAT offers no security benefits at all. And anti-virus programs are for workstations, not servers.

[Splatter]

This is a little dated..but...
http://www.securityfocus.com/archive/1/381402

[Prime Choice]

Looks like you're running RedHat Linux (Fedora) with Apache/2.0.50. Might want to reinstall the OS from scratch, apply all the latest patches, and check to make sure all of your apps are up to date before going back online.

[Prime Choice]

That issue was due to Debian's implementation of Apache rather than a problem with Apache itself. The server that paxbaculum.com runs on is Red Hat.