Results 1 to 9 of 9
  1. #1
    Join Date
    Apr 2009
    Posts
    1,320

    Question Server hacked.. next steps?

    I found a shell uploaded to one of my hosting account's public_html folder today. I tested it and the shell was able to run although initially it does not seem like anything bad was done to it. Such as no defaced sites.

    This server is used only by myself, hosting only 1 site and I am running a custom script, not WordPress or anything that is subject to being outdated and hacked. So I am really curious on how a shell was uploaded.

    I checked the logs and it does not seem like the hacker got in by root or by FTP.

    Now what are my next steps after getting hacked besides changing the passwords?

  2. #2
    Join Date
    Oct 2010
    Location
    Europe
    Posts
    169
    Worthless reply from me, but many users here suggest hiring a specialist depending on OS, that will secure your environment and look for backdoors.

    I heard something about rack911 for unix OS's.
    Last edited by Plankt0n; 03-25-2011 at 04:15 AM. Reason: Typo

  3. #3
    Join Date
    Sep 2010
    Location
    /usr/bin/fail
    Posts
    858
    I would give rack911 a call.

    Otherwise I would run rkhunter, maldet, and clamav to check for bad things...

  4. #4
    Join Date
    Dec 2006
    Location
    Canada
    Posts
    884
    If you have any knowledge with OS you are running, then try running as already recommended rkhunter, clamav, etc.

    If not, then i would recommend you hire a specialist.

  5. #5
    Join Date
    Jun 2007
    Location
    Australia
    Posts
    819
    Quote Originally Posted by chasebug View Post
    I found a shell uploaded to one of my hosting account's public_html folder today. I tested it and the shell was able to run although initially it does not seem like anything bad was done to it. Such as no defaced sites.

    This server is used only by myself, hosting only 1 site and I am running a custom script, not WordPress or anything that is subject to being outdated and hacked. So I am really curious on how a shell was uploaded.

    I checked the logs and it does not seem like the hacker got in by root or by FTP.

    Now what are my next steps after getting hacked besides changing the passwords?
    A shell could've been uploaded through a uploader form in the website's script. You can disable certain PHP functions and also run suPHP to minimise the chance of being comprimised again. There is still no guarantee that your server is 100% secure though.


  6. #6
    Join Date
    Sep 2008
    Location
    Spain
    Posts
    38
    I would reinstall the server. From my point of view, that would be your only 100% safe option, unless you're hiring an specialist - but that's what everyone else is saying so I'll skip that

  7. #7

    Smile

    If you have uploading script in your account like image upload, file upload this might have loophole. Check the logs for POST request.
    sshVM.com - unmanaged Affordable VPS
    Follow us on Twitter - @sshVM

  8. #8
    I would definitely run rkhunter after that you need to scan all your web accessible directories for php/cgi shell scripts.

    They can be of any extension really so don't ignore files like .jpg .gif etc.

    Also running PHP/SQL Injection scanner on your scripts might be a good idea.

    Reject connections over ftp/ssh from except from known hosts.

    Make sure you don't have any service running that you don't need.

    Run a nmap scan on your box and see if you have any ports open that you don't know about.

  9. #9
    If you are new at this, I would actually ask you to hire a specialist to look into this.

    You could always do a backup and install the OS from scratch.

Similar Threads

  1. My vps root login hacked ! Next steps?
    By Joco in forum Hosting Security and Technology
    Replies: 25
    Last Post: 06-29-2010, 03:41 AM
  2. Steps I need to take after getting my first dedicated server?
    By BHH - Josh in forum Dedicated Server
    Replies: 3
    Last Post: 01-14-2010, 06:38 PM
  3. Server under DDos now, what steps to do ?
    By bratao in forum Hosting Security and Technology
    Replies: 12
    Last Post: 10-24-2008, 02:11 PM
  4. What are the first steps on a dedicated Server?
    By webdevindex in forum Dedicated Server
    Replies: 15
    Last Post: 04-06-2008, 04:00 PM
  5. Steps to Secure the server
    By blessen in forum Hosting Security and Technology Tutorials
    Replies: 22
    Last Post: 08-27-2005, 01:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •