What Do I Do If My Server Has Been Compromised?
Unmanaged servers do not come pre-configured. It is the customer's responsibility to configure, harden, and secure the server as necessary since they have chosen to manage their own server (or hire an administrator to do so). It's important to always keep your system packages and software up to date as outdated software leaves your server vulnerable and is the most common source of compromise.
While recovering from a compromise will depend on your server's operating system, configuration, and installed software, if your server becomes compromised, we recommend these general steps:
Update Passwords and Restrict Access
Change all of your passwords immediately (starting with the root/Administrator passwords). If possible, restrict access to your server to yourself and your developer(s) and/or server administrator(s).
Take a Backup
If you do not have a backup package, be sure to back up your files and move them off-server for safe keeping while you address the issue. Our backup packages can be ordered from your billing area by selecting Manage Servers > [My VPS / My Dedicated] > Manage Product > Addons > Add Backups.
Scan Your Files For Malware
We strongly recommend regularly scanning your websites and files for malware with programs such as the following:
There are also many options in regards to server side security, additional options can be found here:
Determine the Scope of the Compromise
Determine the scope of the issue by reviewing your logs and checking any files that have been recently modified. Scanning your files in the step above should also help with this. Is the compromise account-level or server-level? If it is an account-level compromise and the account is isolated from the others, you may be able to keep your other accounts running normally. Determining the scope of the issue can also help you understand how the server became compromised in the first place. Review your logs to help you determine if the attacker got in with a compromised password (or brute force attempts) or if it is because you are running outdated/vulnerable software.
If you have an account-level compromise due to vulnerable software, you will want to proceed depending on the type of software, but generally this will involve removing any unused modules, replacing all core files with the original uncompromised copies (usually available from the site that you originally downloaded your software from), and updating all of the software. Scan your files for malware and look over them manually for anything suspicious. Don't forget to change your passwords.
Guides for Compromises of Popular Software:
If you have a server-level compromise, changing your passwords and reviewing your firewall configuration may resolve the issue if you catch it quickly enough. Check all of your accounts as described above as well. Unfortunately, however, sometimes the best solution here is to order a new server, re-install your software, and migrate your carefully inspected uninfected files over to it.
Basic Steps to Secure Your Server
Tech and Security News
Windows Server Guides
Windows Firewall with Advanced Security Learning Roadmap
Windows Firewall with Advanced Security Getting Started Guide
Windows Firewall Integration and Best Practices
Server Hardening: Windows Server 2012
Security and Assurance in Windows Server
Windows Security Blogs
Sucuri Blog Security Articles
Sucuri Blog - Security Education
Sucuri Blog - Website Hosting: Security Awareness Can Reduce Costs
Sucuri Blog - What is Cross-Site Contamination and How to Prevent it
Sucuri Blog - How To Create a Website Backup Strategy
Sucuri Blog - When Your Plugins Turn Against You
Sucuri Blog - Website Security: How Do Websites Get Hacked?
Sucuri Blog - The Impacts of a Hacked Website
Sucuri Blog - Why Websites Get Hacked
Sucuri Blog - Why Attackers Hack Small Sites
Sucuri Blog - Content Security Policy
Sucuri Blog - The Art of Website Malware Removal – The Basics
Sucuri Blog - Your Website’s Been Hacked But No Signs of Infection
Sucuri Blog - Website Malware Removal: Phishing
Sucuri Blog - Why Website Reinfections Happen
Sucuri Guides - What is a Google Blacklist?
Sucuri Guides - How to Remove Google Blacklist Warning