

My server's been hacked - oozcitak
http://serverfault.com/questions/218005/my-servers-been-hacked-emergency

======
iwwr
That's a remarkable piece of advice for a very vague question. Though,
unlikely to help the OP.

~~~
blueben
Incident Response in a nutshell. I'm very curious to hear how the situation
turned out.

------
piotrSikora
"Carefully explaining your problem is half of the solution."

------
boreacrat
I basically agree with all the advice given, but the easy-fix-guy in me
realizes that it's most likely just replacing a weak password and deleting an
easily found botnetscript, and he'll can have the box up and running again.

I guess that's the difference between fixing my private boxes with no
sensitive informastion and fixing this guy's 600-site serving box:)

------
c4urself
just a question from someone who probably also would've asked this
"incomplete" question (e.g. my server's been hacked what do i do): what kind
of other information should be provided? sys logs apache logs ?

~~~
Hoff
From the article... _I'm assuming you've understood all the issues that led to
the successful intrusion in the first place before you even start this
section. I don't want to overstate the case but if you haven't done that first
then you really do need to. Sorry._

It would be better if _you_ learned to read your logs on a regular basis, to
know what the baseline activities and patterns for your servers look like,
configured locally-appropriate log settings for your environment (and quite
possibly with more detailed settings than the logging defaults), and to then
look for oddities or patterns or connections or unusual events on a daily or
weekly basis, or unusual logins, or whatever particular hole(s) the attackers
have exercised.

Then you look for file system modifications or unexpected server activity
patterns, etc. And match these against the log activity and firewall traffic.

Posting everything from your logs is going to drown folks in data. And may
well end up exposing more about your security configuration than you had
intended.

Follow what the article suggests here... _What steps can you take to reduce
the probability of an attack being successful?_

Going backwards to where a server configuration might be defensible and
debuggable and recoverable. Look to a move to certificate-based authentication
(or passphrases and certificates) and away from traditional passwords, to VPNs
rather than open protocols, to sftp and away from ftp, to locked-down web and
service directories for services rather than writable directories, to various
options with firewall blocks or zen-based or other blacklists combined with
tools such as mod_security, to staying current on your software versions, to
configuring defenses in depth against common attacks, and to getting your logs
where you want it, and the one that tends to get lost...

You want... _Good backups of your data._

And preferably with some of these backup copies entirely disconnected from the
security domain of your server. Push-based copies or pull-based copies
involving remote hosts, for instance.

------
BonoboBoner
Amazing answer this question has spawned. I particulary like this statement,
it somehow puts things into perspective:

"First: understand that the disaster has already happened. This is not the
time for denial; it is the time to accept what has happened, to be realistic
about it, and to take steps to manage the consequences of the impact."

------
AdamGibbins
600 sites on a single non-redundant box? Ouch.

~~~
cagenut
Thats how essentially all "mass vhosting" tier hosts are run. Think dreamhost,
godaddy, etc. If you're paying for less than a VPS, thats what you're on.

~~~
mprovost
We used to run closer to 1200-1500 at every hosting company that I ran. You
don't get much for $5 a month.

------
euroclydon
For every person in this guy's situation, I wonder how many others have hacked
servers and are totally unaware?

