Unfortunately it sometimes happens that a server gets hacked and infected by malware. In this article we will discuss what hackers want and how you can notice if you got hacked. Furthermore we will give you an idea of what to do in case your server got hacked and how to protect your server in the first place to prevent getting hacked at all.
Have I been hacked?
Finding out if your server has been hacked is not always easy. Hackers go to great lengths to hide their malware or other malicious software and associated activities as much as possible. Nevertheless, there are a few indicators of how to recognize a hacked server.
Here are a few examples:
- the server sends spam
- the shown content does not match the uploaded
- the utilization is extraordinary high
- unknown, executable files can be found which have nothing to do with the run services
- settings are suddenly changed
- login details are changed
Single points are not necessarily a proof for a hack. It may also happen that a legitimate Administrator tries new settings or changes passwords. Knowledge of the system and the possibilities are therefore a basic requirement to reliably spot a hacking incident.
Why do hackers want to hack my server?
When you suspect that your server has been hacked, you often ask yourself why hackers are targeting your server. But even if you as a private person only operate a relatively inconspicuous or small server with little on it, it can be worthwhile for the hackers to take over your server. Here are some examples:
- stealing of customer data proves often as profitable
- for the use in a bot net, a huge number of small servers is highly effective
- using ‘unknown’ IP addresses is a good way to avoid blocklists when sending spam
- the computing power can be of use, e.g. mining bitcoin
- a SEO-hack is seldom spotted, where hidden links are posted on the hacked website. The linked website is going to be more important to search engines.
- data can be encrypted for ransom
What can be the Reasons that my Server got Hacked?
- outdated and not patched Software is a huge flaw towards security
- weak passwords/not using SSH-Keys
- carelessly handing out one’s own access data and root/-Administrator-rights
- wrong security settings
- downloading and installation of software from sources not to be trusted
- compromised through malicious links in emails
Whats next?
If your server has been hacked, it is important to act quickly and thoroughly in order to recover important data, avoid longer downtimes or resume regular operations quickly. The next section shall give an impression on how to secure your system again. Once your system has been infiltrated, only few options are left in case you still have access to it:
- changing login details
- updating your system
- searching and deleting malicious scripts
- performing a virus- and malwarescan
- checking user accounts and deleting suspicious ones
Those measures are not a guarantee at all. It is sometimes impossible to ensure a system being clean again after having been hacked. So you may have to reinsall your entire system to ensure it’s free from any malicious software and to prevent your system from being infected and therefore hacked again.
Regular backups are a great help. If you want to learn more about backups we got you covered with this article.
After a reinstallation the original state of the system can easily be recreated from a recent backup. In such case you should also adjust the passwords of user accounts, since the attacker might also have them.
However, it is always a necessity to act quick. The more time is lost, the easier it is for the attacker and malware to capture your system. Cryptoviruses require time to encrypt the complete system. Booting your server into a livesystem is normally a good idea.
Using such lifesystem you can investigate your server without any risk and delete malicious scripts. Furthermore you can backup your files and folders. Always make sure that those are definitely not infected, otherwise you might also infect further systems.
How do I protect myself against an attack?
- All software should be checked for updates regularly. Outdated WordPress themes, EOL (end of life) software such as PHP 5.6 or Ubuntu 14 are not supplied with security updates any more and provide an easy target. Not every software notifies you on updates. You have to check proactive for updates.
- A strong password is always a good option against unauthorized access. All access points of your server including (web) panels should be secured by a randomly generated password. A secure password should contain lower case and capital letters, numbers and special characters.
- The SSH/RDP access should be limited as far as possible. This includes the following measures:
- changing the SSH/RDP ports
- using two-factor-authentication, e.g. via Google Authenicator
- using SSH-keys instead of passwords (the password authentications should be disabled accordingly)
- disabling root-login
- explicitly allowing users
- Using a respective anti-brute-force software can prevent your password from becoming known. Fail2ban is an important representatives and available for numerous Linux systems as well as for MacOS. WHM/cPanel is shipped with cPHulk brute force protection, which only has to be activated.
- The firewall rules should be as strict as possible. Exclusively required ports should be open and access to other ports closed.
- In order to avoid an infection with malware and viruses, an antivirus or anti-malware software can be beneficial:
- Blazescan is a decent option for Linux based operating systems, as well as Linux Malware Detect (short: LMD or maldet).
- Although backups do not actively protect against attacks, they are indispensable. Provided regular backups are performed, the pre-infection condition can be easily restored.
Conclusion
In conclusion, server security is a critical aspect of safeguarding your digital assets and protecting your business or personal data from potential cyber attacks. While the unfortunate event of a server being hacked can be alarming, it’s essential to remain calm and take immediate action. By following the steps outlined in this article, such as conducting a thorough investigation, mitigating the damage, and notifying relevant parties, you can effectively manage the aftermath of a server hack.
However, the best defense against server hacks is prevention. Implementing strong security measures, such as using robust authentication methods, regularly updating software and patches can significantly reduce the risk of a successful hacking attempt. Educating users about safe online practices, practicing the principle of least privilege, and keeping backups of critical data can also provide an additional layer of protection.
Remember, server security is an ongoing process that requires vigilance, regular monitoring, and timely updates. It’s crucial to stay informed about the latest threats and vulnerabilities and proactively adapt your security measures accordingly. By prioritizing server security and taking proactive steps to prevent, detect, and respond to potential hacking attempts, you can minimize the risks and protect your server from falling prey to malicious activities. With a robust security posture and a proactive mindset, you can safeguard your server and ensure the confidentiality, integrity, and availability of your valuable data.