What do I do if my VDS/machine is compromised?

Post Reply
User avatar
Edge100x
Founder
Founder
Posts: 12945
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

What do I do if my VDS/machine is compromised?

Post by Edge100x »

If we notice a DoS attack from your VDS or dedicated machine, it is very likely that it has been compromised, and we'll post you a link to this article.

The most commonly exploited vector for compromising a machine is webhosting. If you are running a website from your service here, it is very possible that one of the applications that you are running had a security hole that an attacker (manually or in an automated fashion) exploited to load their own backdoor software. Take a look at your various public-accessible folders and see if you can find a file that is out of place there -- a seemingly-benign PHP file, such as "s.php" file, for instance, or something in a new folder that you didn't create. If you find this evidence, and you were running the webserver as an unprivileged user (not as Administrator or root), then you may be able to simply:
  1. Disable your webhosting bits
  2. Reinstall the webserver from scratch
  3. Install all of your web-based applications, using the very latest versions, and choosing different passwords
  4. Notify any users of your sites that your databases may have been compromised, and let them know that any information that they had stored may now be known to the attacker
  5. Make sure that all of the available OS updates are applied
  6. Check your server for malware using an anti-virus tool
If you don't find such a file (or don't run a webserver), and you don't see other obvious signs of a break-in, you'll have to assume the worst: That the machine has been entirely compromised. This could have been done through an exploit in the OS, by guessing your password, or by malware loaded onto the machine of an administrator, for instance. In this case, you should do a similar set of steps, but for the entire OS:
  1. On your personal machine, and the machines of any other admins,
    1. Update the OS
    2. Check for malware, and potentially reinstall the OS if there is an infection
    3. Change all passwords
  2. Back up any irreplaceable documents or settings on the VDS/dedicated machine
  3. Completely wipe and reinstall the OS, and make sure that it is running the latest updates
  4. Reinstall your applications, using only the very latest versions, and choosing different passwords
  5. Notify users of any services on your machine that it may have been compromised, and let them know that any information that they had stored may now be known to the attacker
Post Reply