Your Server Has Been Hacked… What Next?

Over a long enough time-frame, the chances of an Internet-facing server being hacked approach certainty. Online criminals trawl the net looking for vulnerable servers. If a server hosts a popular website or one with valuable private information, it may attract the focused attention of an attacker.

One of the skills a competent server administrator develops is an understanding of how to deal with a compromised server. Ideally, your server won’t ever be compromised, and there are many things you can do to reduce the chances of hackers finding a way in, but if it happens, you need to be ready.

How Are Servers Hacked?

There are four main vectors that can be exploited by criminals:

  • A vulnerability in a web-facing application or the systems that support it (e.g. the database).
  • A vulnerability in a component of the operating system.
  • A phishing attack.
  • A brute force attack.

It’s important that once you discover a server has been compromised, you try to discover how. Knowing how the attacker got in can help you reduce the risk of future compromises.

How Can You Tell If Your Server Is Compromised?

It’s in the interest of attackers to remain hidden, so you may not notice for some time, but compromised servers often exhibit unusual patterns of behavior like excessive bandwidth use, a strange pattern of network connections, or greater resource use than usual. You won’t notice these changes if you don’t monitor server performance and logs. Monitoring is a key part of server security.

Malware and rootkit scanners will help you discover if your server’s core systems have been compromised, or if an attacker has installed malware on the system.

The least desirable way to discover that your server has been compromised is for someone else to let you know. The server’s IP may be blocked by a spam blacklist, or a company like Google may get in touch to tell you they’ve removed your server from the search engine results because it’s infecting users with malware.

Next Steps

If your server is spewing malware, leaking private data, or otherwise putting users at risk, the first step is to remove it from the Internet altogether. That might mean shutting down a specific site or taking the entire server offline.

Next, backup your data 

It’s possible that the data or the applications running on your server have been maliciously modified, so you won’t restore from this backup, but a recent backup is an essential diagnostic and forensic tool — it will help you discover how your server was hacked.

You should let your hosting company’s support service know that you suspect your server has been compromised. Depending on the level of service you pay for, they may be able to help. At the very least they can use the information you give them to spot patterns of criminal activity.

Now for the hard truth, if your server has been compromised, you cannot trust any of the software it runs. Unless you are an expert system administrator with a deep knowledge of server security, you should not attempt to “clean” your server. The best course of action is to reinstall the operating and restore your software and sites from a verified malware-free backup.

If you believe the compromise is limited to a specific site or container, you might get away with reinstalling and restoring that area of your server. For example, hacked WordPress sites can often be restored without having to reinstall the whole server. But if you’re unsure, or there is an indication that the server has been infected with a rootkit, reinstallation is the only viable option.

Which brings me to the last piece of advice for this piece: make sure you regularly and comprehensively backup the data on your server. Without a comprehensive backup, you are out on a limb which stands a good chance of being sawed off.
 
Business2Community

 

« Bank of England: Cyberattacks A 'Clear and Present Danger'
Air Gapping Critical Process Control Networks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Paraben

Paraben

Paraben provides digital forensics solutions for mobile devices, smartphones, email, hard drives, and gaming system.

NQA Certification

NQA Certification

NQA provides certification to a range of ISO standards including ISO 27001 for information security management.

International Security Management Association (ISMA)

International Security Management Association (ISMA)

ISMA is an international security association of senior security executives from major business organizations located worldwide.

VdS

VdS

VdS is an independent safety and security testing institution. Cybersecurity services include standards, audit/assessment and certification for SMEs.

Telspace Systems

Telspace Systems

Telspace Systems provides penetration testing, vulnerability assessment and training services.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

Cybonet

Cybonet

Cybonet is committed to empowering organizations of all sizes with the tools and capabilities to detect and engage cyber security threats.

Aiuken Cybersecurity

Aiuken Cybersecurity

Aiuken is an international IT Security company, focused on communications and IT technologies, specialised in Security and Cloud Services solutions with high added value.

CyPhyCon

CyPhyCon

CyPhyCon is an annual event exploring threats and solutions to cyber attacks on cyber-physical systems such as industrial control systems, Internet of Things and Industrial Internet of Things.

Improsec

Improsec

Improsec is a fully independent Cyber Security advisory company - we provide knowledge, experience and both strategic and deep technical expertise to our clients.

Telefonica Global Solutions (TGS)

Telefonica Global Solutions (TGS)

Telefonica Global Solutions is the technological partner of wholesalers and enterprises, helping them to achieve the digitalization they need.

Ampere Industrial Security

Ampere Industrial Security

Ampere is an industrial security firm. We specialize in industrial control systems (ICS) and operational technology (OT) security.

Sekuro

Sekuro

Sekuro is your leading governance and cyber security partner. Building organisational resilience. Enabling fearless innovation.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

Panasonic Automotive Systems

Panasonic Automotive Systems

Panasonic Automotive Systems brings together security technologies and human resources cultivated across an extensive range of businesses into the automotive field.

ArmorX AI

ArmorX AI

ArmorX AI (formerly Kapalya) operates an encryption management platform designed to encrypt all data in transit and at rest on mobile end-points, corporate servers, and cloud servers.