Recently I was contacted by a person saying that they had found a vulnerability

Question

Recently I was contacted by a person saying that they had found a vulnerability in my site. They were able to prove it, by sending me a list of my own databases (some of which had been created but never used or referenced by anything), a full directory listing of my webroot (not as impressive, but it did include hidden files), as well as contents of configuration files for MediaWiki and a sample from one of the databases. It seems that they have been able to drop a database, as well as run a mass update on another to introduce spam links on the Wiki.

I appear to have vexed them by saying that I don't use bitcoin and therefore cannot pay them for any "report" on how they are doing this - not that I actually want to, of course.

I really need help in figuring out anything I can to stop this attack before any further damage is caused - I apologise if this is not the correct place for such things, but it's the first thing that came to mind. Any advice, ranging from stopping the attack to possibly turning the tables entirely would be very much appreciated. If you need more info, please ask!

Explanation / Answer

Do not try to turn the tables.

Simply disconnect the site from the internet, take forensic copies (if you want to try and find out exactly what happened, or pass into to law enforcement) and then wipe and rebuild from scratch.

As the odds of tracking down the perpetrators are incredibly slim, I would suggest not wasting your money. Just wipe and rebuild, and look to garden your installation before you connect it online again. This should include latest patches for platform, OS, applications etc., config options and general hardening guidance.

Related Questions

Navigate

• Browse (All)
• Browse R
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.