Forum Discussion
Fallout1984
Cirrocumulus
CirrocumulusF5-fronted website duplicated by hackers and re-hosted
We found out recently that hackers copied one of our F5-fronted web sites and certs, and set them up on a server elsewhere. Their copied cert gives an error, of course. I’m wondering if there’s anyth...
there are some things to check in this article which also provides general guidance for such sitations:
https://support.f5.com/csp/article/K11438344
there is the IOC checker from the F5 vulnerability which seems to also check for webshells and other things left behind beyond that actual exploit itself.
https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/
uploading a qkview to ihealth will also help as some things are checked and reported there.
still kind in mind that a good hacker can erase tracks so can you be 100% sure? that should be an internal discussion with the parties involved. if there is doubt then rebuild and restore a known safe backup.
boneyard
MVP
MVPthere are some things to check in this article which also provides general guidance for such sitations:
https://support.f5.com/csp/article/K11438344
there is the IOC checker from the F5 vulnerability which seems to also check for webshells and other things left behind beyond that actual exploit itself.
https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/
uploading a qkview to ihealth will also help as some things are checked and reported there.
still kind in mind that a good hacker can erase tracks so can you be 100% sure? that should be an internal discussion with the parties involved. if there is doubt then rebuild and restore a known safe backup.
- Daniel_Wolf
I didn't know the K11438344 yet. Awesome, bookmarked it right away!
Fallout1984Great info - thanks!
