Forum Discussion

Fallout1984's avatar
Fallout1984
Icon for Cirrocumulus rankCirrocumulus
Mar 05, 2021
Solved

F5-fronted website duplicated by hackers and re-hosted

We found out recently that hackers copied one of our F5-fronted web sites and certs, and set them up on a server elsewhere. Their copied cert gives an error, of course. I’m wondering if there’s anyth...
  • boneyard's avatar
    Mar 06, 2021

    there are some things to check in this article which also provides general guidance for such sitations:

    https://support.f5.com/csp/article/K11438344

     

    there is the IOC checker from the F5 vulnerability which seems to also check for webshells and other things left behind beyond that actual exploit itself.

     

    https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/

     

    uploading a qkview to ihealth will also help as some things are checked and reported there.

     

    still kind in mind that a good hacker can erase tracks so can you be 100% sure? that should be an internal discussion with the parties involved. if there is doubt then rebuild and restore a known safe backup.