What types of things happen when a web server gets hacked.

These are just some of the things, and it really depends on the server, the type of data being stored, whether it’s in a server farm, or if it’s actually at a facility like an office. The outcome for each of these can be massively bad depending on a variety of factors, because after all, a server being hacked is never really a good thing, unless you’re the one doing the hacking, and that’s only if you’re a black hat.

On most web servers there is code, acres and acres of code. If the server is using a dynamic language for page creation, like PHP or ASP, then there are likely database connections at play. These databases likely contain the information someone would normally expect to find on such a server. There are the usual types of information, username, password, name, e-mail address, etc. If the server hosts a medical site, it might have personal information, all of which should be encrypted where it is stored. If the server were for controlling something else, then it would likely have access to that something, like a web-controlled automation system for instance.

Why would it be hacked?

Different information has different values on the black market. Most of the usernames and passwords, and e-mail addresses have value because they can be used on other servers in order to gain access to something else (example): Website A is compromised, Twitter account is hacked with the same credentials. Things like Social Security numbers can be used to not only try to impersonate someone’s identity, but they can also be used to defraud the Social Security system with new fake accounts. Medical information is probably only beneficial to someone who would care about it, depending on the target. So if it contained medical info about a person who was in politics it might have a value if they had certain medical conditions that weren't disclosed to the public, but if it’s about Grandma’s arthritis, probably not; unless they’re going to use it for spamming or phishing Grandma for pain meds which could theoretically happen.

If the server’s housed in a server farm, it’s likely on a restricted network. Likely it doesn’t talk to anything else on that restricted network. While it could be used to pivot if the attacker gained access to things outside of the web server, or the website, it’s likely not going to happen. Usually what happens with a web server in a place like a server farm is hacked, it’s immediately used for its bandwidth in that prominent place: new databases are created, new websites hosted, traffic diverted, data and server farms have something everyone wants, real estate. If the server is locked down to prevent those things, then only the website is hacked, and this could allow an attacker to use the website to collect information on the users for forwarding to the attacker's own servers, or they could serve malware or viruses from the compromised server to infect workstations. If the website has write access for the web server, then files can be injected and a back door created. Then the user can read the databases with the site's permitted database connections. If the account the website runs under on the computer has enough permissions, then the user can do other things to the server like make more servers, turn on services on the server that aren't currently running and install things like proxy servers, VPN systems, and host other things on the box like voice communications, video hosting, a lot of possible options. 

If the server is in an office there are a variety of other things that can become compromised. If the site itself is only compromised, then the system would have the same things that could happen as in a server farm. If the user gains access to the server itself, and that server is also a domain controller and the admins use the same username “admin” with the same password, then the users can try to login to that server to control the domain, the e-mail accounts, the domain routing, and the website. On a domain controller, now they can collect anything within the network as traffic that's not encrypted. If they setup a man-in-the-middle attack they can actually steal the encrypted data too. They can also leech information from the server as well as try to use it to pivot attack other systems on the same network if it's not a domain controller. With enough access they can install applications and still perform the data mining, then spoof packets and routes and still take traffic meant for elsewhere. It really depends on where the box is on the network infrastructure.

If the server is locked down so that the user is restricted to the website and database by itself, the user can still create new websites and databases. There is also the issue of the external IP for the network being blocked if the server is used to send spam or phishing e-mails; e-mails can be sent from web servers. Also there is the issue of bandwidth as more access to the server can bring down a network.

How to prevent a hack?
Management need to contact their IT people and ask them about the permissions, restrictions, and infrastructures in place on the network; make sure they're familiar with all of the risks at hand. Web designers need to contact the webmasters if they think there is an issue. If a different company hosts the website, then check their procedures, if they don't seem "secure" then move the site to a better host.

If possible, use a different e-mail address for every website.

Certain website hosts allow the ability for users to setup an infinite number of e-mail addresses. While this might not seem beneficial, they also provide the ability to forward those e-mail addresses to a main account or any other account. If anything needs to be responded to someone can use the main account, but for most things it’s not necessary. Signing up for something new at a store, give the e-mail address you intend to create when you get to a "safe" network and set it up when you're at that network.

So let’s say you’re signing up for Facebook, you could setup an e-mail address called fcb00k@yourdomain.com. Then if Facebook needs to contact you, then they can use that particular e-mail address. If you get crafty with your e-mail forwarding, you can make it so only certain important e-mails get sent to your mobile phone to cut down on all of the traffic that you receive. This also allows you to filter out a lot of the clutter without having a billion spam filters in whatever you're using as a mail client.

In the event of doom

If the system is hacked where you are signing up, let's say the database is hacked, and it contains your e-mail address, you’ll likely start receiving spam messages or worse, phishing messages from people attempting to trick you into giving away information. When you start to notice e-mails from fcb00k@yourdomain.com that aren’t from Facebook, then you’ll know that they either sold your name to someone else, or they were hacked. Also it will help you when you get Amex offers for your outstanding credit from fcb00k@yourdomain.com that you'll know they're likely not the real thing either.

They won't care

If they are hacked, don’t bother e-mailing them and telling them your brilliant e-mail naming convention and how you’ve noticed that you’re receiving e-mails from someone who is not them. They’re likely to send you a form letter response letting you know what spam is, and they’ll tell you that that have the best security team known to man who is working on their servers and in no way were they hacked. At some point you’ll see a press release about them being hacked, but rest assured it had nothing to do with you. It was likely do to some normal operating procedure that they were able to find the issue. Public relations, IT, and web operations rarely interact in most companies in regard to user feedback. That’s just how it works.

Fixing the issues 

When a site is hacked, because you're using this really cool method, then you only have to worry about changing that one e-mail address to a new one, (in order to stop the spam), then you can go on about your day. Oh yeah, change your password too. If they got your e-mail address they likely got your encrypted password, which is likely no longer encrypted.

How a custom virus caught a liar.

I don’t remember the names. It was sometime in the late nineties when I received a phone call from an ex-girlfriend who worked for a military contractor. She said she was sort of on the rebound from a relationship, but needed my assistance with a “computer issue.” I drove for over five hours to get to her house. Here I find that she’s cohabitating with her current “boyfriend,” but they are separated momentarily; and they also have another roommate, a girl, who she wanted to introduce to me. He was a computer science major, if I recall correctly, which is why she needed some “training to teach him a lesson”; rather unintentionally she was provided with a method of making a self replicating virus.

When I arrived we went out to dinner with her roommates to a local sports bar. We had a good time until someone started hitting the sauce. After we returned to the house, she pulled me aside and explained the issue: her ex, or soon to be ex- or whatever his status was at the time, had allegedly been looking at pornographic material on his computer. I didn't think this was a crime, but they had an agreement that he was not to look for pornography because apparently it had been an issue in her last relationship to the point that it haunted her. Her other roommate had heard him, clued her in, and when confronted, he lied in response about looking at it; and so she wanted to prove he was lying, but didn’t know how. She didn’t know where to look, and was afraid that any attempt for her to show him would backfire as he could say it wasn’t his, too many roommates. It was sort of a communal terminal.

I felt sorry for her, so rather reluctantly, I decided to enable her to prove, rather embarrass him with, evidence that he’d been looking at the things he was not supposed to be. Had he not been a jerk most of the evening (mean drunk), I probably wouldn’t have gotten involved, but at the time I still had weekends, so it was a mini-holiday.

For the record, I never touched his computer, and never touched her computer. I simply conveyed to her, a computer science major at the time, in theory how to write a couple of scripts that could modify the Windows auto-execute batch file to make something that worked like a virus, on her computer; theoretical stuff really.

First I explained to her that she needed to not touch the computer. If it at all seemed like she had any time with the machine, then the game would be up. I theorized on how she could write a little batch file that would write another batch file and clean up after itself. This other batch file could scour the Temporary Internet Items directory for video files and porn-sounding jpg names. Any files it located could then be copied to a new hidden directory of some obscure name, completely random even. The file extensions could then be changed, so they would not look like videos if someone were to do a search for videos on the hard drive, this way the batch could replicate them again into the startup and IE temporary items folder, by searching for their new unique extensions upon restart.

After searching for the files and copying them to their new location, the system would then, in theory, copy them to the startup folder in the start menu; then the batch file could patch the Windows registry runonce menu to trigger a new instance of itself, just in case the batch wasn’t called on the next restart.

The poor guy was using Windows 95 without service packs.

Upon loading Windows, a little snippet could be placed about 1000 lines down in the autoexec.bat file. If this sort of script was able to install itself from a floppy on insertion (not really a batch file, but something like autorun.inf), it would be much more detrimental of course. So in theory, all someone had to do was pop in the floppy, let Windows access the  disk, then they could eject it. Smeary fingerprint on the eject button would be the only indication of tampering, if someone tried to determine an origin.

The next day, after having me sleep on the floor in her room to further boil the poor guy’s blood, we spent the morning watching television in the main room snickering about my theories. He was hung over; his computer was in the hallway, waiting. When he came back from the gym he turned his computer on. My friend walked down the hallway and popped a floppy into the drive after he had booted the machine up. She then asked "are you going to use your computer," to which he said, "You've had all morning to use it, I just turned it on, so yeah, I'm going to use it." She promptly removed disk and turned the volume all the way up on the guy’s Labtec speakers. All of this happened with him watching, but nothing suspicious. The computer had become a dynamic of control in their arrangement.

About 30 minutes later he comes over to the computer and reboots it; it had locked up; no service pack was installed, it was poorly maintained, that sort of thing. Five minutes later we hear this blaring cacophony of multiple moans and grunts overlapping with the soundtracks of roughly 10 adult videos featuring who knows what, all playing simultaneously. Windows was nice enough to tile their display when the system started; we could see it from the couch, raunchy stuff.

Leaning back in his metal folding chair, he slams his chair forward and turns off the speakers. “What are you watching hon?” she says from the living room, the guy’s face is beet red. He closes all of the windows with alt-f4 repeatedly before she makes it down the hallway to “get a drink” from the kitchen. Then he proceeds to delete all of the items from his startup folder. He looks at me, he was about twice my size and I was 220lbs at the time, and says, “You had better not touch my computer again.” I told him I hadn’t touched it, and that he probably had a virus from looking at porn sites. I gave a plausible response and told the truth, having not touched his machine, omitted a couple of details, but didn't lie, technically.

About 30 minutes later he restarted his computer. Surprisingly the same thing happens again. He looks at me and says “what did you do?” I truthfully said “I haven’t touched your computer man,” with one of those smirks to make him wonder. He calls his friend, The Computer Guru.

This guy shows up, he walks over to the computer, looks back at me and glares. I don’t know what her boyfriend at the time knew about me, but whatever it was, he had his suspicions about what he didn’t know after that day. The computer guru guy goes in and deletes all of the IE history and temp internet items. Then deletes the items in the startup folder. “Watch this though,” her boyfriend says, as he reboots the computer. Same thing happens again. Computer guru goes in and removes all of the items as before, and this time does a search for videos, finds nothing oddly enough. He restarts the computer. Same thing happens again. Then he restarts it again, problem is compounded because there was no theoretical statement to check for existing video and picture files. He tells her boyfriend, “don’t reboot it again, I’ll be back.”

Enter Windows 95 for Dummies

The computer guru guy shows up with his tattered copy of Windows 95 for Dummies in-hand and a box of 3.5in floppies containing antivirus and Norton disk utilities; I always wondered why that book was so popular. He boots from a floppy, runs chkdsk, tells the guy he’s searching for hard drive errors that could cause the system to not be deleting the items from the temporary internet items folder, I'm off the hook at this point, so they relax around me. He also runs defrag. An hour goes by. Her, her other roommate, and myself go to the bookstore, hang for an hour, then we come back. They’re still at it. “I don’t know man, we’ve done everything I can think of.” the guru says. He pops in the Windows 95 recovery disk, rebuilds the system to factory defaults, without reformatting. This defiles the registry. Windows loads for the first time after the reinstall, videos all still in place. Mad, he throws the keyboard.

They reformat.

2 hours later, “where did all of my files go?” the boyfriend says. “I told you I was reformatting,” replies the guru. He looks at my friend “got any spare floppies?” She replies, “Yeah I’ve got one.” Brings him the disk. I grinned, gave her a hug, told her she was evil, and promptly left. The next week she calls me to tell me that he bought another computer, Windows 98 this time, and "geez, if it didn’t develop the same sort of characteristics a couple of days after he bought it." Poor guy... if only he hadn't lied to her.

So I've been thinking to myself, ethically, was it wrong to help her? Knowledge in the wrong hands... I'm glad I was on her good side.