Is your server really hacked?
First of all, before panicking you must make sure that it is completely clear that it was an external attack that caused the strange behavior or the abnormal entry you suspect, on your server. Confirm it’s not just a technical glitch or a human error. Often when a server is managed by more than one technicians, someone checking the server for integrity may find it disturbed and suspect that they have been attacked where actually all that might have happened was that someone else working on the server made a wrong query. To ensure this you might wanna get some help from third parties, like Tech Skeech.
If you are sure that there has been some sort of unwanted activity on your server by an external factor and its official that you have been hacked. The question now is what do you when your server is hacked. The first thing you need to understand is that this can happen to anyone, Now it doesn’t excuse having an incompetent security but you must know that even the most secure servers on the Planet have been hacked. Secondly you have to realize that there is no 5 minute or 15 minute solution to this. If you want to maintain your server and the reputation associated with it you will have to go through a few steps that may take a while.
is to turn the server down for the time being. You don’t want your clients or their users to access a compromised network, this will not only hurt you but it will also hurt them by exposing them to corrupt system. Not only will there data be at risk of getting infected but they might also be vulnerable to information theft. You don’t have to take down the whole system. If you can pinpoint the affected part or application you can just turn that offline and keep rest of the services up and running. Don’t turn the affected server fully online unless you are sure that everything is back in order and there is no unwanted software on the system.
For the part of server that is down, you can deliver a ‘server offline for maintenance’ message or you can also tell the truth that you suspect being hacked and are taking precautions. This step is however not always recommended as this message may also convey that your security is not solid enough to defend your servers. Although it is not impossible to get around any sort of cyber security, your client will still loose trust in your security settings and you may even loose some clients. So it is recommended that you go with server under maintenance message. But whatever message you display, it is important that you roll back your server temporarily. And if there is a chance of someone other than yourself being directly affected from the attack you must also inform them.
Then you wish to analysis and assess the damage that has been done. You need to find the latest stable and secure configuration backup that you can get, of your server. You must be sure that the backup is secure and the server was not under any sort of attack at that moment which you weren’t aware of. Then you need to analogize both the configurations and identify the affected part of your system. This would help you contain the issue and if the virus is still active you should deal with it immediately.
After identifying the affected part of your server you need to identify what kind of attack was conducted and more importantly how it was conducted, which loophole was exploited. If you know don’t how you were hacked chances of you closing the loophole are zero. You need to be aware of the method used to attack your system for preventing it from happening in the future.
You should then see how to get about dealing with cleaning the system once you’ve identified the attack. All the passwords should be changed obviously. Not only those that were affected but passwords of each user associated with the server. Then make sure that the vulnerability exploited has been fixed and increase the security of your server. It’s not necessarily you’re fault that you got attacked that first time but if you are attacked successfully the second time, in the same way, then it definitely is your fault.Another very important step is to report the attack. This would help prevent such attack on other servers and might even lead to the attacker.
Lastly if you’re not sure about any of the above mentioned steps, don’t worry. We’ll guide you through all this.