Working with a hacked or compromised server

Overview

This article discusses why a server might be hacked, how a server can be exploited, and recommendations for securing your server. An exploited or hacked server is one that is no longer fully under your control. Someone else is now partially controlling your server and using it for their own purposes. Here are some common reasons to exploit a server:

• Send out spam email.
• Launch attacks against other servers. Thus, consuming your CPU, memory, and bandwidth resources.
• Install a phishing website on your server to gain access to sensitive information.

Background

How can my service be exploited?

There are two primary ways a server may be compromised:

1. The hacker has guessed a password of a user on the server. This may be a email, ftp, or ssh user.
2. The hacker has gained access through a security hole in a web application (or its addons/plugins) such as WordPress, Joomla, Drupal, etc.

How do I know if my service has been exploited?

Many times, customers may not notice that they have been compromised until they are contacted by the (mt) Media Temple Abuse Department. However, if you follow our Advanced Guides regarding checking to see if your service has been compromised you may be able to see some of this activity yourself.

• How can I determine if my server has been compromised?

What steps can I take to prevent my service from being hacked?

Use Strong Passwords

Be sure to use strong passwords. This would include passwords for the AccountCenter, Plesk, your root password, etc. The stronger the password the better protected your service will be. GRC (Gibson Research Corporation) provides a free tool that will generate strong passwords for you.

Use Secure Protocols

When connecting to your services, it is best to use secure connections whenever possible. This would include SSL connections for email, and using SFTP instead of the more common FTP protocol. You can learn more about using secure connections for these services by reading the following guides:

• Using email
• Using email
• Using FTP and SFTP
• Using FTP and SFTP

Maintain Regular Backups

Be sure to backup your data on a regular basis. If a domain, or your entire service, becomes compromised, it may go un-noticed for a while. You would not want to restore a compromised backup. You always want to restore from the last known clean backup.

• How can I backup and restore a MySQL database?
• How can I backup and restore a MySQL database?
• Backup Options
• Grid Backing Up Site Content

Harden your PHP Settings

Just making a few changes to your php.ini file can greatly increase the security of your service. Here are a few settings we recommend:

• Enable Safe Mode
• Enable Safe Mode
• Disable allow_url_fopen
• Increase PHP security with PHPSecInfo
• Increase PHP security with PHPSecInfo

If you are not sure how to edit your php.ini file, you can use the following guides:

• How can I edit php.ini file?
• How can I edit php.ini file?

If you want to set these configurations differently for each domain, you will want to use a .htaccess file:

• What is a .htaccess file?

Working with third-party applications

When you are working with third-party software such as Wordpress, Drupal, Joomla please consider these points. This is also very important with applications that rely on plug-ins for extended functionality.

• Be careful with what third-party tools you choose to use. Pick software that is known to have a reliable reputation for security. Consider using software that have frequent updates to patch security holes.
• Be sure to update your software regularly. Subscribe to the RSS feeds of any applications you use. This is a fantastic, effortless way to stay aware of any new updates that you may need to stay secure.

I've been hacked. What can I do?

1. Backup your domains and service, but please remember that this backup will probably contain compromised scripts. You do NOT want to restore directly from this backup.
   • How can I backup and restore a MySQL database?
   • How can I backup and restore a MySQL database?
   • Backup Options
2. Take your website offline temporarily, or until you know you have resolved the issue. Alternatively, consider displaying an "Under Construction" page. This should be done to prevent any hacked pages from being served to your site visitors/customers.
3. Start performing Damage Assessment. What is the scope of the problem? Is only one domain affected? Are other domains on your service affected also?
4. Start the Recovery Process. The best thing you can do is reinstall your environment from a known clean source.
   • Grid Customers - You may need to submit a support request asking for your Grid service to be re-provisioned.
   • VPS Hosting server Customers - You can submit a support request to have your service re-provisioned or you can choose to re-install VPS.
   • After your re-install has been completed, use your most recent safe backup to restore your site. Make sure your backup does not contained any hacked files.
   • Update all of your passwords, and make sure they are secure. See step above.
5. Finally, take the steps to restore your online presence.

More General Tips

• Avoid having directories with non-secure permissions whenever possible.
• Check for any common XSS (cross-site scripting) and SQL injection vulnerabilities. Visit http://www.stopbadware.org/home/security for more information.
• VPS Customers can read the following guide: Securing your Server
• Join and contribute to online communities that are dedicated to helping fight badware/phishing. Here are a few examples:
  • badwarebusters.org
  • stopbadware.org
  • antiphishing.org
  • phishtank.com
• Here are two more resources from google.com on what you can do if you have been hacked, and how to prevent it:
  • My sites have been hacked, now what?
  • Google's quick security checklist for webmasters