How do companies know they’ve been hacked

googlehacking

With the news of Google and others getting hacked, I was wondering how companies find out, detect, and/or know they've been hacked in the first place?

Sure, if they find a virus/trojan on user's computers or see a very high access rate to parts of their system that don't usually see much, if any, traffic. But, from what I've see in articles, the attack was pretty 'sophisticated', so I wouldn't imagine the hackers would make it so obvious of their hacking in the first place.

Maybe someone can enlighten me on current detection schemes/heuristics. Thanks.

Best Answer

Generally they look for subtle forensic clues; such as their homepage being changed to a banner which reads "p0Wned by TeH L33t Krew!! haahah1h1!! u noobs"

Related Solutions

Linux – How to know if the Linux server has been hacked

Keep a pristine copy of critical system files (such as ls, ps, netstat, md5sum) somewhere, with an md5sum of them, and compare them to the live versions regularly. Rootkits will invariably modify these files. Use these copies if you suspect the originals have been compromised.
aide or tripwire will tell you of any files that have been modified - assuming their databases have not been tampered with.
Configure syslog to send your logfiles to a remote log server where they can't be tampered with by an intruder. Watch these remote logfiles for suspicious activity
read your logs regularly - use logwatch or logcheck to synthesize the critical information.
Know your servers. Know what kinds of activities and logs are normal.

Php – Got Hacked. Want to understand how

First of all chmod 744 its NOT what you want. The point of chmod is to revoke access to other accounts on the system. Chmod 700 is far more secure than chmod 744. However Apache only needs the execute bit to run your php application.

chmod 500 -R /your/webroot/

chown www-data:www-data -R /your/webroot/

www-data is commonly used as Apache's account which is used to execute the php. You could also run this command to see the user account:

`<?php
print system("whoami");
?>`

FTP is horribly insecure and it's very likely that you were hacked from this method. Using FTP you can make files writable, and then infect them again. Make sure you run an anti-virus on all machines with FTP access. There are viruses that sniff the local traffic for FTP user-names and passwords and then login and infect the files. If you care about security you'll use SFTP, which encrypts everything. Sending source code and passwords over the wire in clear text is total madness.

Another possibility is that you are using an old library or application. Visit the software vendor's site and make sure you are running the latest version.

Best Answer

Related Solutions

Linux – How to know if the Linux server has been hacked

Php – Got Hacked. Want to understand how

Related Topic