Your Server Has Been Hacked… What Next?

Uploaded on 2016-07-15 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Over a long enough time-frame, the chances of an Internet-facing server being hacked approach certainty. Online criminals trawl the net looking for vulnerable servers. If a server hosts a popular website or one with valuable private information, it may attract the focused attention of an attacker.

One of the skills a competent server administrator develops is an understanding of how to deal with a compromised server. Ideally, your server won’t ever be compromised, and there are many things you can do to reduce the chances of hackers finding a way in, but if it happens, you need to be ready.

How Are Servers Hacked?

There are four main vectors that can be exploited by criminals:

  • A vulnerability in a web-facing application or the systems that support it (e.g. the database).
  • A vulnerability in a component of the operating system.
  • A phishing attack.
  • A brute force attack.

It’s important that once you discover a server has been compromised, you try to discover how. Knowing how the attacker got in can help you reduce the risk of future compromises.

How Can You Tell If Your Server Is Compromised?

It’s in the interest of attackers to remain hidden, so you may not notice for some time, but compromised servers often exhibit unusual patterns of behavior like excessive bandwidth use, a strange pattern of network connections, or greater resource use than usual. You won’t notice these changes if you don’t monitor server performance and logs. Monitoring is a key part of server security.

Malware and rootkit scanners will help you discover if your server’s core systems have been compromised, or if an attacker has installed malware on the system.

The least desirable way to discover that your server has been compromised is for someone else to let you know. The server’s IP may be blocked by a spam blacklist, or a company like Google may get in touch to tell you they’ve removed your server from the search engine results because it’s infecting users with malware.

Next Steps

If your server is spewing malware, leaking private data, or otherwise putting users at risk, the first step is to remove it from the Internet altogether. That might mean shutting down a specific site or taking the entire server offline.

Next, backup your data 

It’s possible that the data or the applications running on your server have been maliciously modified, so you won’t restore from this backup, but a recent backup is an essential diagnostic and forensic tool — it will help you discover how your server was hacked.

You should let your hosting company’s support service know that you suspect your server has been compromised. Depending on the level of service you pay for, they may be able to help. At the very least they can use the information you give them to spot patterns of criminal activity.

Now for the hard truth, if your server has been compromised, you cannot trust any of the software it runs. Unless you are an expert system administrator with a deep knowledge of server security, you should not attempt to “clean” your server. The best course of action is to reinstall the operating and restore your software and sites from a verified malware-free backup.

If you believe the compromise is limited to a specific site or container, you might get away with reinstalling and restoring that area of your server. For example, hacked WordPress sites can often be restored without having to reinstall the whole server. But if you’re unsure, or there is an indication that the server has been infected with a rootkit, reinstallation is the only viable option.

Which brings me to the last piece of advice for this piece: make sure you regularly and comprehensively backup the data on your server. Without a comprehensive backup, you are out on a limb which stands a good chance of being sawed off.
 
Business2Community

 

« Bank of England: Cyberattacks A 'Clear and Present Danger'
Air Gapping Critical Process Control Networks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Digital Detective

Digital Detective

Digital Detective offer a range of products and services for digital forensic analysis and advanced data recovery.

Verimatrix

Verimatrix

Verimatrix is a global provider of innovative cybersecurity solutions that protect content, devices, software and applications.

CERT-PA

CERT-PA

CERT-PA is the national Computer Emergency Response Team for Italian government institutions.

Basis Technology

Basis Technology

Basis Technology provides software solutions for text analytics, information retrieval, digital forensics, and identity resolution.

MonsterCloud

MonsterCloud

MonsterCloud is a leader in managed cyber security services. Our cyber security team constantly monitors and protects businesses from cyber threats.

UM Labs

UM Labs

UM Labs is a developer of security products for Voice over IP (VoIP), protecting SIP trunk connections, safeguarding mobile phone communications and enabling BYOD.

FoxGuard Solutions

FoxGuard Solutions

FoxGuard Solutions develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

KOVRR

KOVRR

Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.

VaultOne

VaultOne

VaultOne is a next-generation security solution that addresses security issues from different domains (Password Manager, Secure Access, PAM, Identity Management) as a single, integrated solution.

CyberASAP

CyberASAP

CyberASAP provides expertise, knowledge and support to convert academic ideas into commercial products in the cyber security space.

Invest Ottawa

Invest Ottawa

The IO Accelerator Program is designed to rapidly and systematically accelerate the development and commercial success of high growth technology firms.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

Team Secure

Team Secure

Team Secure provide Enterprise-grade Cyber Security consultancy, managed security services and cyber security staffing services.

Wing Security

Wing Security

Wing fosters a stronger security culture by engaging SaaS end-users and enabling easy communication with security teams.

Innov8tif

Innov8tif

Innov8tif is an AI company specialised in providing ID assurance solutions — helping digital businesses to prevent frauds by verifying and authenticating customers identity.

Verastel

Verastel

Specializing in the niche space of proactive cyber-defense, and adaptive resilience, team Verastel is bolstering enterprise digital security like never before.