My server has been hacked. What to do ?

In case of a violation of the server by a third party, the administrator receives an update from the data center or from other administrators who were disturbed by the offending action of his server.

How do I know that I have been the victim of an attack?

Many administrators notice that they try to run system commands like Is or Netstat and a segmentation fault appears, or they need to press enter twice to make their application requests, for example.

The above are the first signs that someone can understand that their server is not under their full control and it is most likely that they have fallen victim to a breach.

In most cases, the breach is done with the purpose of sending spam emails through your server, attacking other servers using memory, CPU and bandwidth, or even installing a phishing website in order to gain access to personal data.

What can I do now?

1. Immediately stop the tasks the server is running.

2. Deactivate your sites (it would be good to upload a "under maintenance" page).

3. Save a backup of your sites.

4. Check for non-root user accounts in /etc/passwd with UID 0.

5. Check if there are other accounts you don't know like r00t or hax0r or some service name with some of its characters changed.

6. Open the users .bash_history to check for suspicious commands they have executed.

7. Check the processes already running on your system, using ps top or for ports that are open (usually more than 1024), with the help of Netstat.

8. Check if there are other SSHDs on different doors.

9. Check the log files for who and when accessed the SSH service, the mail service, and even who last connected to the server.

10. Check for rootkits.

How did they get access to my server?

It is most likely that the offender has intercepted passwords through an application such as an FTP client or exploited a weakness in the system.

How can I protect myself?

1. Use strong passwords for every service (alphanumeric and symbols). If possible, don't store them and change them as often as you can. Create strong passwords with Top.Pass, Top.Host's free tool.

2. You use security mechanisms such as antivirus and firewalls.

3. Keep backups.

4. Keep your system operating system up to date.

5. Don't use pirated software.

6. Keep your apps, themes and plugins up to date.

Finally, after doing the above you should keep a close eye on your server as the attacker will try to regain access.