What Do I Do If My Server Has Been Compromised?

What Do I Do If My Server Has Been Compromised?

Unmanaged servers do not come pre-configured. It is the customer's responsibility to configure, harden, and secure the server as necessary since they have chosen to manage their own server (or hire an administrator to do so). It's important to always keep your system packages and software up to date as outdated software leaves your server vulnerable and is the most common source of compromise.

While recovering from a compromise will depend on your server's operating system, configuration, and installed software, if your server becomes compromised, we recommend these general steps:

Update Passwords and Restrict Access 
Change all of your passwords immediately (starting with the root/Administrator passwords). If possible, restrict access to your server to yourself and your developer(s) and/or server administrator(s).

Take a Backup
If you do not have a backup package, be sure to back up your files and move them off-server for safe keeping while you address the issue. Our backup packages can be ordered from your billing area by selecting Manage Servers > [My VPS / My Dedicated] > Manage Product > Addons > Add Backups.

Scan Your Files For Malware
We strongly recommend regularly scanning your websites and files for malware with programs such as the following:

ClamAV
Linux Malware Detect / Maldet
CXS
ISPProtect

There are also many options in regards to server side security, additional options can be found here:

ModSecurity
OSSEC
CHRootKit
RKHunter

Determine the Scope of the Compromise
Determine the scope of the issue by reviewing your logs and checking any files that have been recently modified. Scanning your files in the step above should also help with this. Is the compromise account-level or server-level? If it is an account-level compromise and the account is isolated from the others, you may be able to keep your other accounts running normally. Determining the scope of the issue can also help you understand how the server became compromised in the first place. Review your logs to help you determine if the attacker got in with a compromised password (or brute force attempts) or if it is because you are running outdated/vulnerable software.

If you have an account-level compromise due to vulnerable software, you will want to proceed depending on the type of software, but generally this will involve removing any unused modules, replacing all core files with the original uncompromised copies (usually available from the site that you originally downloaded your software from), and updating all of the software. Scan your files for malware and look over them manually for anything suspicious. Don't forget to change your passwords.

Guides for Compromises of Popular Software:
--Joomla-- 
https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
https://sucuri.net/guides/how-to-clean-hacked-joomla

--WordPress--
https://billing.dotblock.com/knowledgebase/225/Compromised-Wordpress-Cleanup-and-Recovery.html
https://codex.wordpress.org/FAQ_My_site_was_hacked
https://sucuri.net/guides/how-to-clean-hacked-wordpress

--Drupal--
https://www.drupal.org/docs/develop/security/your-drupal-site-got-hacked-now-what
https://sucuri.net/guides/how-to-clean-hacked-drupal

--Magento--
https://sucuri.net/guides/how-to-clean-hacked-magento

If you have a server-level compromise, changing your passwords and reviewing your firewall configuration may resolve the issue if you catch it quickly enough. Check all of your accounts as described above as well. Unfortunately, however, sometimes the best solution here is to order a new server, re-install your software, and migrate your carefully inspected uninfected files over to it.

Further Reading
Basic Steps to Secure Your Server

Tech and Security News

Krebs on Security - Blog
Schneier on Security - Blog
Ars Technica - Tech News
WIRED Security Category - Tech News

Windows Server Guides

Windows Firewall with Advanced Security Learning Roadmap
Windows Firewall with Advanced Security Getting Started Guide
Windows Firewall Integration and Best Practices
Server Hardening: Windows Server 2012
Security and Assurance in Windows Server

Windows Security Blogs

Windows Server Blog
Windows Security Blog
Microsoft Secure
Microsoft Security Guidance Blog
MSRC

Sucuri Blog Security Articles

Sucuri Blog - Security Education
Sucuri Blog - Website Hosting: Security Awareness Can Reduce Costs
Sucuri Blog - What is Cross-Site Contamination and How to Prevent it
Sucuri Blog - How To Create a Website Backup Strategy
Sucuri Blog - When Your Plugins Turn Against You

Sucuri Blog - Website Security: How Do Websites Get Hacked?
Sucuri Blog - The Impacts of a Hacked Website
Sucuri Blog - Why Websites Get Hacked
Sucuri Blog - Why Attackers Hack Small Sites
Sucuri Blog - Content Security Policy

Sucuri Blog - The Art of Website Malware Removal – The Basics
Sucuri Blog - Your Website’s Been Hacked But No Signs of Infection
Sucuri Blog - Website Malware Removal: Phishing
Sucuri Blog - Why Website Reinfections Happen
Sucuri Guides - What is a Google Blacklist?
Sucuri Guides - How to Remove Google Blacklist Warning

Comments   

0 #1 joomla 2019-04-08 05:39
Restore Hacked Joomla
Website hacking is one major problem on the Internet. Hackers are now implying modern
techniques where the website ownder doesnt get a hint that their website has beencompromised, however, they are there, stealing informate and impersonating from
within your web server to hack others. The Open Source CMS like Joomla are being
secured and patched regularly but the outdated versions and the old extensions
often provide a backdoor for hackers.
Joomla hack Removal
Quote

Add comment


Security code
Refresh

Category: