Compromised Servers – A Broad Overview

Hacking:

According to the Cambridge Dictionary, hacking is - 'The activity of illegally using a computer to access information stored on another computer system or to spread a computer virus.' A hacked server, therefore, refers to a server that has been compromised. Hackers are getting increasingly more sophisticated and their attacks harder to detect than a few years ago, as online security itself also becomes more sophisticated and comprehensive in its approach to prevent hacking.

How?

Potentiality all electronic devices can be hacked in the sense that they can be used in unlawful activates. The more complex the system the more security measures will need to be put in place to prohibit unauthorised access. Below is a list of how hackers can gain access to a system, in particular a web server. Placing your server in a public domain will attract welcome and unwelcome visitors. The process of securing your server can be compared to locking your front door and installing a security system in real life. Being aware of what types of methods unwelcome visitors use to try and access your server will help to secure it. Below is a list of common exploits, you can click on the links to learn more about them on Wikipedia.

What?

What areas are being targeted by hackers, what are the main areas to focus on, remember that a chain is only as weak as its weakest link. All of the software components below will form an enforced barrier around your core business activities. Once again you can follow the links to learn more from a security perspective.

  • Passwords
  • FTP
  • Cpanel
  • MySQL
  • PHP
  • WordPress
  • Email
  • Payment gateways
  • Crypto Miner
  • Phishing websites
  • Phishing emails

Symptoms:

So I have not been able to secure my server or I suspect that something is wrong, what are the symptoms of a possible hack? The first line of defence is to check your server performance on a regular basis and be familiar with the normal operating parameters. Here historical data like CPU usage memory usage and bandwidth usage could be invaluable. Most of these statistics are available free as part of your hosting package and can be viewed as graphs. (You can also open a ticket with your friendly hosting provider if you think your server has been compromised.) Below the link list from a security perspective.

  • A large number of tcp/ip connections
  • Unable to log into WordPress
  • seeing strange code – WP or apache
  • looking at logs  Security
  • High CPU/Apache process count
  • long-running SQL Queries/joint statements
  • Cannot send or receive emails
  • Strange links on your website/code
  • Out of bandwidth

Precautions:

What can I do extra to secure my server? Below is a list of software that you can install on top of your current configuration. If you are not technically inclined rather get professional help as there are other risks that may cause your attractive website to crash. For those who are brave enough (or not so brave) you can have a look at the details:

Getting more technical:

The tools below can be used for those brave enough to delve deep into the operating system if you have access to a Linux based hosted server. These options are not available if you are using Cpanel, Joomla or WordPress. The command below will usually be used by the technical support division at your hosting company or a tech-savvy reseller. Using these commands on a live website could have adverse effects so my advice would b is to use them in an isolated environment until you know how to use them and is beyond the scope of this article. I have however included some real-life examples of the logs below to give you an idea of the kind of information that could be gained from those logs.

Commands:

who

lastlog

top

iptables

netstat

tcpdump

 

Log files:

var/log/messages

Dec 16 02:55:01 systemd: Started Session 893076 of user pinguzo.

Dec 16 02:55:02 systemd: Started Session 893077 of user munin.

Dec 16 02:55:02 systemd: Started Session 893081 of user root.

Dec 16 02:55:02 systemd: Started Session 893082 of user root.

Dec 16 02:55:20 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1x:4xx2:xx:c2:2d:xx:ex:3x:98:10:01:08:00 SRC=000.000.000.000 DST=111.111.111.111 LEN=40 TOS=0x08 PREC=0x00 TTL=243 ID=25160 DF PROTO=TCP SPT=3082 DPT=7547 WINDOW=14600 RES=0x00 SYN URGP=0

var/log/secure

Dec 16 02:56:09 sshd[24765]: refused connect from 000.000.000.000 (000.000.000.000)

Dec 16 03:29:07 sshd[8425]: refused connect from 000.000.000.000 (000.000.000.000)

Dec 16 03:30:02 sshd[8675]: refused connect from 000.000.000.000 (000.000.000.000)

Dec 16 03:48:53 atd[18157]: pam_unix(atd:session): session opened for user root by (uid=0)

 

 

 

 

 

 

 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How To Change My HOSTAFRICA Client Password

Log in to your HOSTAFRICA Client Account and click on the "Hello Tab" to reveal the drop-down...

How To Design A Secure Password

The Password Method 1. Choose a phrase of between 12 and 20 characters. Remember, Windows-based...

Security Tips For Linux Servers

Physical System Security Configure the BIOS to disable booting from CD/DVD, External Devices,...

Security Tips For Windows Servers

Ensure that your Windows file server is physically secure. If an intruder can gain physical...

Setting Up A Basic Firewall Debian Using IPTABLES

Setting up a basic firewall Debian using IPTABLES Iptables provide packet filtering, network...