2

I have inherited a Linux Apache CentOS plesk server which has been hacked, which has websites which are in production.

I have been advised by my friend to rebuild it from scratch, since the attack apparently is quite widespread and it is hard to detect what is breached apparently.

I have never rebuilt a server, and I did not set the server in the first place, so what I am asking is, if there is a recipe or an easy to follow checklist on how to achieve a rebuild and restore everything as it should be?

peterh
  • 4,914
  • 13
  • 29
  • 44
Daniel Higgins
  • 167
  • 1
  • 1
  • 5

3 Answers3

7

At this stage the normal response is "nuke it, reformat, and restore from backups".

There's tons of related questions here or on google, try searching around a bit.

edit: oh, and keep it off the network until its fixed. :)

Sirex
  • 5,447
  • 2
  • 32
  • 54
  • I'd change that to "restore from known-unhacked backups", restoring a system that has been hacked, from a backup done after the hack, is about as useful as not nuking and restoring in the first place. – Vatine Oct 12 '10 at 15:01
  • 1
    was assuming the backups wern't an image / system files. – Sirex Oct 12 '10 at 15:51
3

That advice is sound. Once someone gets in they frequently create multiple self-recreating backdoors and other goodies. There's no way to verify you ever got rid of them all other than starting over from scratch. I've experience it before and it's not fun.

chkconfig --list will show you what services are running. You'll want to look at 3 and maybe 5 to see if there's anything else important running on the server. There will be a lot of services running by default that you won't really need to worry about. For the important ones, keep a copy of the configuration files for reference, but don't copy them to the new server. Maybe printing them out is the way to go. You'll need to verify and understand the settings to make sure they haven't been changed to anything harmful, but at least you'll have a starting point for what needs to be done.

For the data files (web pages), hopefully you can take them from a backup or source repository on a different server rather than having to copy them over from the hacked server. If you have to copy them you can try scanning them with antivirus software, then look for anything unusual and hope for the best.

Brad Mace
  • 1,006
  • 3
  • 17
  • 31
0

To help you set up a server next time, you should also have a look at automatic installation software.

The important thing is that it should be a complete installation and set up without any touch of a human hand until maybe restoring data from a backup and before allowing the server back on the net.

It will help you, and future admins, when restoring servers after different disasters, like hardware failures and hack incidents like this. I will also work as a good and up to date documentation of your servers software and configuration.

Anders
  • 167
  • 1
  • 8