Overview

This article discusses why a server might be hacked, how it can be hacked and suggestions for securing your server. An exploited server is no longer fully under your control. Someone else is now partially controlling your server and using it for their own purposes. Here are some common reasons as to why a server is exploited or hacked:

• For sending out spam mails.
• Attacks launched against other servers and therefore consuming your CPU, memory and bandwidth resources.
• Install a phishing website on your server to gain access to sensitive information.

A non-root user is compromised.

This means that the user has to be disabled, infected files have to be cleaned up and the user recreated as an alternate name

This can most likely happen due to two reasons.

1. Use of password based auth which are susceptible to brute force attacks (https://www.e2enetworks.com/help/why-key-based-ssh-is-secure-than-password-based-access/).

2. Any vulnerable/unpatched service running as that user might be compromised. A variation of a user compromise is the site compromise where in an attacker gains access to the user running the site.

Root user compromise.

This means that the entire box is compromised and the reasons for the compromise are same as for non-root users but with much more catastrophic consequences. The most recommended action in such circumstances is to take the box off the public network, create new machine and start setting up all sites/services afresh. Otherwise we will be looking at a scenario where the attacker has installed backdoors/rootkits on the box and can potentially eavesdrop on sensitive information

Please feel free to contact support@e2enetworks.com or managed-support@e2enetworks.com (in case you have signed up for managed services) to get more info on evaluation of your site/server for potential vulnerabilities

How to fix a site compromise:

1. Do a complete scan of all your code base on your site and ensure any compromised files are restored from backup (if there is a subscribed backup plan, E2E can do the restore as well) 2. Review Access controls and ensure that all users who are not required to have access to the server are removed 2. Ensure input validation code is put in by the dev team to ensure no code files with innocuous extensions get uploaded onto the site 3. Ensure that we have a fully patched version of the software that you are using (mageto, wordpress and drupal etc needs to be kept updates after appropriate testing) 4. Deploy a web application firewall to guard against common types of attacks.This can be done using mod_security and owasp filters 5. Ensure up to date versions of the Software stack