My site just got defaced by a cyber attack known as "Prophet Mohammed ...".

http://www.zone-h.org/en/news/read/id=205987/

Also many other sites on the VPS received the same defacement.

Any idea how I can prevent this from happening again ? Trying to find how the hacker got in.

Thanks

this is sad...

most of these attacks, i believe, use php apps vulnerabilities... like xmlrpc ... MAybe one of your customers had a mambo or a forum that wasn't updated... the hacker got access to your server with it... I don't think it's a elaborated attack.

By looking your apache logs, i think you could find some informations... Find the time last modified of the "index" and then, look in your logs...

if you didn't ... contact support... they can help for sure...

Thanks Fred. I think it's a PHP forum belonging to a customer that was not up to date.

Running any mod_security filters?

I see these all day long, and my server hasnt been compromised yet.

[Sun Feb 19 09:29:34 2006] [error] [client xxx.xxx.xxx.xxx] mod_security: Access denied with code 403. Pattern match "wget\\x20" at POST_PAYLOAD. [hostname "xxx.xxx.xxx.xxx"] [uri "/xmlrpc/xmlrpc.php"]

I have the a few setup initially when I got the VPS like RKHUNTER and stuff like that.

What do you suggest ?

apf + bfd is a must=)

APF and BFD came installed by PowerVPS.

Thanks

I've personally seen this on some servers that had Ikonboard on it. There are many known exploits for it, and if it's not constantly patched, you're vulnerable. The bad thing with them is they just release the "fixes" without any kind of version changes, etc. So it's almost impossible to know if your build is vulnerable or not.

But more than likely it's a vulnerable script, be it Ikonboard or another PHP/Perl script.