Cloud Security Authors: Yeshim Deniz, Zakia Bouachraoui, Liz McMillan, Elizabeth White, Ravi Rajamiyer

Related Topics: Cloud Security

Cloud Security: Article

Hacked Server? What Should You Do?

Fixing a Hacked Server

It's a server administrator's worst nightmare, and it's one that almost every sysadmin will have to face at some point. Your server's been hacked. Perhaps you've been notified by your hosting provider that it's being used in a DDoS attack. Or you have noticed a spike in resource use that can't be tied to legitimate activity. Or your malware scanners have located what looks like a backdoor. The sinking feeling on realising that your server has been exploited is horrible, especially when you consider the potential damage to your business, but it's important that you deal with it rationally.

You next steps will depend on unique factors, but there is some general advice that I would give to everyone facing this scenario.

Keep Calm

Your reaction might be to start trying desperately to fix the problem, essentially applying band aids to your server in the hope that you'll be able to mitigate the data loss or the impact immediately. It's a natural reaction but it can cause more problems than it solves. To properly handle a hacked server, you need information, and acting without a full understanding of the situation can make things worse.

According to Eric Cole director of the SANS Cyber Defense Program at the SANS Institute, "It is easy to panic and start trying to control the damage. But very often, without a proper plan, you could actually be destroying evidence and making things worse."

So, remain calm and try to develop an understanding of what exactly happened. Consult logs, find out what is running on your server, run malware scans, and, if you don't have the expertise to assess the situation yourself, call in outside help.

First Steps

First, you want to deprive the attacker of their means of access to your server. Hopefully, you've been able to figure out how they got in, but fixing the immediate problem isn't sufficient. If a hacker has been able to access your server, you can no longer trust any of its passwords or those of any other servers on your network.

You should implement a complete security overhaul, changing SSH and FTP passwords, email passwords, account passwords, and everything else that could conceivably been accessed by the attacker.

In many cases, you aren't going to be able to avoid doing a complete reinstall of the server. If a hacker has remote root access and has managed to install a rootkit, nothing on the server can be trusted.

Implement The Fix

If you're certain that your operating system hasn't been exploited, and it's just specific applications or scripts running on the server that are causing the problem, you may be able to get away with blowing away just that app and reinstalling.

As noted by Rimhosting:

The first thing most webapp exploits do is to install a backdoor.  e.g. a URL they can check that re-enables their access, or a cron task that runs to re-add their access.  So it may be best to do a reinstall of your server.  And be very, very careful what content you bring over from your backups.

That last point is of particular importance. You should only reinstall from your backups if you are certain that the exploit hasn't been backed up too. Use backups from before the hack. This is why it's important to keep at least several months of backups.

Notify Users

This is probably the most difficult decision for many businesses, but if there's a chance user data was leaked, you have an ethical duty to inform your users so that they can take steps to protect themselves.

Don't Let It Happen Again

Being hacked is a risk we take whenever we put servers on the open Internet. However diligent you are as a server administrator, it's possible for vulnerabilities in the software you rely on to sink your ship. You shouldn't be too hard on yourself, but you should learn from the incident and implement processes so the same thing doesn't happen again. And of course, if you weren't sticking to basic security best practices like using secure passwords and ensuring that your server's software was updated, hopefully you'll learn that lesson too.

A hacked server is not something any of us want to deal with, but if you tackle it calmly, rationally, and transparently, there's no reason it should hurt your business to badly.

More Stories By Graeme Caldwell

Graeme works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess and check out their tech/hosting blog, https://blog.nexcess.net/.

IoT & Smart Cities Stories
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and sh...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and Bi...
Contextual Analytics of various threat data provides a deeper understanding of a given threat and enables identification of unknown threat vectors. In his session at @ThingsExpo, David Dufour, Head of Security Architecture, IoT, Webroot, Inc., discussed how through the use of Big Data analytics and deep data correlation across different threat types, it is possible to gain a better understanding of where, how and to what level of danger a malicious actor poses to an organization, and to determin...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
The Founder of NostaLab and a member of the Google Health Advisory Board, John is a unique combination of strategic thinker, marketer and entrepreneur. His career was built on the "science of advertising" combining strategy, creativity and marketing for industry-leading results. Combined with his ability to communicate complicated scientific concepts in a way that consumers and scientists alike can appreciate, John is a sought-after speaker for conferences on the forefront of healthcare science,...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...