Your Server Has Been Hacked… What Next?

Uploaded on 2016-07-15 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Over a long enough time-frame, the chances of an Internet-facing server being hacked approach certainty. Online criminals trawl the net looking for vulnerable servers. If a server hosts a popular website or one with valuable private information, it may attract the focused attention of an attacker.

One of the skills a competent server administrator develops is an understanding of how to deal with a compromised server. Ideally, your server won’t ever be compromised, and there are many things you can do to reduce the chances of hackers finding a way in, but if it happens, you need to be ready.

How Are Servers Hacked?

There are four main vectors that can be exploited by criminals:

  • A vulnerability in a web-facing application or the systems that support it (e.g. the database).
  • A vulnerability in a component of the operating system.
  • A phishing attack.
  • A brute force attack.

It’s important that once you discover a server has been compromised, you try to discover how. Knowing how the attacker got in can help you reduce the risk of future compromises.

How Can You Tell If Your Server Is Compromised?

It’s in the interest of attackers to remain hidden, so you may not notice for some time, but compromised servers often exhibit unusual patterns of behavior like excessive bandwidth use, a strange pattern of network connections, or greater resource use than usual. You won’t notice these changes if you don’t monitor server performance and logs. Monitoring is a key part of server security.

Malware and rootkit scanners will help you discover if your server’s core systems have been compromised, or if an attacker has installed malware on the system.

The least desirable way to discover that your server has been compromised is for someone else to let you know. The server’s IP may be blocked by a spam blacklist, or a company like Google may get in touch to tell you they’ve removed your server from the search engine results because it’s infecting users with malware.

Next Steps

If your server is spewing malware, leaking private data, or otherwise putting users at risk, the first step is to remove it from the Internet altogether. That might mean shutting down a specific site or taking the entire server offline.

Next, backup your data 

It’s possible that the data or the applications running on your server have been maliciously modified, so you won’t restore from this backup, but a recent backup is an essential diagnostic and forensic tool — it will help you discover how your server was hacked.

You should let your hosting company’s support service know that you suspect your server has been compromised. Depending on the level of service you pay for, they may be able to help. At the very least they can use the information you give them to spot patterns of criminal activity.

Now for the hard truth, if your server has been compromised, you cannot trust any of the software it runs. Unless you are an expert system administrator with a deep knowledge of server security, you should not attempt to “clean” your server. The best course of action is to reinstall the operating and restore your software and sites from a verified malware-free backup.

If you believe the compromise is limited to a specific site or container, you might get away with reinstalling and restoring that area of your server. For example, hacked WordPress sites can often be restored without having to reinstall the whole server. But if you’re unsure, or there is an indication that the server has been infected with a rootkit, reinstallation is the only viable option.

Which brings me to the last piece of advice for this piece: make sure you regularly and comprehensively backup the data on your server. Without a comprehensive backup, you are out on a limb which stands a good chance of being sawed off.
 
Business2Community

 

« Bank of England: Cyberattacks A 'Clear and Present Danger'
Air Gapping Critical Process Control Networks »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

Allianz Commercial

Allianz Commercial

Allianz Commercial is the center of expertise and global line of Allianz Group for insuring mid-sized businesses, large enterprises and specialist risks.

Brinqa

Brinqa

Brinqa is a leading provider of unified risk management and security analytics.to manage IT governance and technology risk.

TUV Sud

TUV Sud

TÜV SÜD is a leading technical service organisation. We specialize in testing, certification, auditing, training, and advisory services for different industries.

SISSDEN

SISSDEN

SISSDEN will improve cybersecurity through the development of increased awareness and the effective sharing of actionable threat information.

Volatility Foundation

Volatility Foundation

Volatility is an open source memory forensics framework for incident response and malware analysis.

SCADASUDO

SCADASUDO

SCADASUDO is a cyber solution architecture and design office, established by leading experts in the field of OT (Industrial control) and IT (information Technology).

Austrian Institute of Technology (AIT)

Austrian Institute of Technology (AIT)

AIT is Austria's largest research and technology organisation and a specialist in the key infrastructure issues of the future including data science and cybersecurity.

Mayhem

Mayhem

Mayhem, by ForAllSecure, is a developer-first application and API security testing solution.

AdEPT Technology Group

AdEPT Technology Group

AdEPT are a managed services and telecommunications provider offering award-winning, proven and uncomplicated technical solutions for over 12,000 organisations across the UK.

RankedRight

RankedRight

RankedRight empowers security teams to take immediate action on their most critical risks.

OX Security

OX Security

OX is a DevOps software supply chain security solution. Teams can verify the integrity and security of every artifact using a pipeline bill of materials (PBOM).

Ontinue

Ontinue

Ontinue ION is an MXDR service that provides Nonstop SecOps through five key capabilities that enable your organization to respond to attacks and continuously reduce risk.

Prescott

Prescott

Prescott acts as your guiding light in the preparation for your CMMC assessment and long after by governing your cybersecurity practice.

CR Group

CR Group

CR Group is a Swedish-owned, cyber-security company oriented towards the European market. We offer solutions for vital societal functions that are both easy-to-buy and easy-to-use.

Tulpa AI

Tulpa AI

Tulpa develops safe AI assistants (co-pilots) to support and enhance human performance in high-stakes, mission-critical decision-making environments.