Forum Discussion

Fallout1984's avatar
Fallout1984
Icon for Cirrocumulus rankCirrocumulus
Mar 05, 2021
Solved

F5-fronted website duplicated by hackers and re-hosted

We found out recently that hackers copied one of our F5-fronted web sites and certs, and set them up on a server elsewhere. Their copied cert gives an error, of course. I’m wondering if there’s anything I could/should check on the F5 to be reasonably confident nothing beyond copying our website has been done and the F5 has not been compromised (as management will surely ask). Has anyone else dealt with this before?

 

Yes this is kind of a generic question, but any help would be appreciated - thanks!

application delivery
LTM
  • boneyard's avatar
    boneyard
    Mar 06, 2021

    there are some things to check in this article which also provides general guidance for such sitations:

    https://support.f5.com/csp/article/K11438344

     

    there is the IOC checker from the F5 vulnerability which seems to also check for webshells and other things left behind beyond that actual exploit itself.

     

    https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/

     

    uploading a qkview to ihealth will also help as some things are checked and reported there.

     

    still kind in mind that a good hacker can erase tracks so can you be 100% sure? that should be an internal discussion with the parties involved. if there is doubt then rebuild and restore a known safe backup.

5 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Mar 06, 2021

    Everything above.

     

    + contact law enforcement (might be different from country to country)

    + check for companies that could help you analyse whether a breach has happened

    + read the F5 Labs 2020 Phishing and Fraud Report

    + if you have FPS licensed, check what FPS can do to help you prevent that your web site is getting cloned. Otherwise, if you don't have FPS licensed yet, check what Shape has to offer. I think Shape AI Fraud Engine (SAFE) is their solution to prevent web site cloning.

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Mar 06, 2021

    there are some things to check in this article which also provides general guidance for such sitations:

    https://support.f5.com/csp/article/K11438344

     

    there is the IOC checker from the F5 vulnerability which seems to also check for webshells and other things left behind beyond that actual exploit itself.

     

    https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/

     

    uploading a qkview to ihealth will also help as some things are checked and reported there.

     

    still kind in mind that a good hacker can erase tracks so can you be 100% sure? that should be an internal discussion with the parties involved. if there is doubt then rebuild and restore a known safe backup.