Working with a compromised VPS
An exploited or hacked VPS is one that is no longer fully under your control. Someone else is now partially controlling your VPS and using it for their own purposes. Here are some common reasons to exploit a VPS:
- To send out spam email;
- To launch attacks against other servers (thus, consuming your CPU, memory, and bandwidth resources);
- To install a phishing website on your VPS to gain access to sensitive information.
BackgroundThere are two primary ways a VPS may be compromised:
- If the hacker has guessed a password of a user on the VPS. This may be an email, FTP, or SSH use;
- If the hacker has gained access through a security hole in a web application (or its addons/plugins) such as WordPress, Joomla, Drupal, etc.
2. How do I know if my service has been exploited?
Many times, customers may not notice that they have been compromised until they are contacted by the CookieVPS Abuse Department. To preventany delays in learning about a breach, you must periodically check your VPS log files.
3. What steps can I take to prevent my service from being hacked?
A. Use Strong Passwords:
Be sure to use strong passwords. This would include passwords for the Client Area, VPS, any of your control panels, etc. The stronger the password the better protected your service will be. GRC (Gibson Research Corporation) provides a free tool , also Comparitech offer another free to use tool (Link to it here) that will generate strong passwords for you that are a mixture of lowercase, uppercase, numerical, and symbols. Useful information can be found on this insightful CloudWards article
B. Use Secure Protocols:
When connecting to your services, it is best to use secure connections whenever possible. This would include SSL connections for email, and using sFTP instead of the more common FTP protocol.
C. Maintain Regular Backups:
Be sure to backup your data on a regular basis. If a domain, or your entire service, becomes compromised, it may go un-noticed for a while. You would not want to restore a compromised backup. You always want to restore from the last known clean backup.
D. Harden Your PHP Settings:
Just making a few changes to your php.ini file can greatly increase the security of your service. Here are a few settings we recommend:
- Enable Safe Mode;
- Disable allow_url_fopen;
- Increase PHP security with PHPSecInfo.
E. Working with Third-Party Applications:
When you are working with third-party software such as Wordpress, Drupal, or Joomla, please consider these points. This is also very important with applications that rely on plug-ins for extended functionality:
- Be careful with what third-party tools you choose to use. Pick software that is known to have a reliable reputation for security. Consider using software packages that have frequent updates to patch security holes;
- Be sure to update your software regularly. Subscribe to the RSS feeds of any applications you use. This is a fantastic, effortless way to stay aware of any new updates that you may need to stay secure.
I've been hacked. What can I do?Backup your domains and service, but please remember that this backup will probably contain compromised scripts. You do not want to restore directly from this backup.
How can you backup and restore a MySQL database:
- Take your website offline temporarily, or until you know you have resolved the issue. Alternatively, consider displaying an "Under Construction" page. This should be done to prevent any hacked pages from being served to your customers;
- Start performing a damage assessment. What is the scope of the problem? Is only one domain affected? Are other domains on your service affected also?
- Start the recovery process. The best thing you can do is to reinstall your environment from a known clean source;
- Finally, take the steps to restore your websites.
Useful LinksJoin and contribute to online communities that are dedicated to helping fight badware/phishing. Here are a few examples:
Artice source: mediatemple (MT)
- www.cloudwards.net/how-to-set-up-a-strong-password (CookieVPS recommends this article)
Was this answer helpful?
PING allows you to quickly verify the connectivity of your internet connection to the VPS server....
The terms Open and Closed are now used to describe DNS servers in the following context: Open...
First download the latest stable version of Rkhunter tool:wget...
Install ClamAV antivirus softwareInstall EPEL repo:For CentOS 6 32-bit execute command:rpm -Uvh...
The Sender Policy Framework (SPF) is a method of fighting spam. As more time passes, this...