-1

Possible Duplicate:
My server's been hacked EMERGENCY

I have put all security meaures and log monitoring tools. Now but i don't know what to do if find out the there is some rootkit on my system.

If i have live sites running on my system and i can't turn off the server as well. How can i remove the infection

Regarding backups should i do backups of whole linux system or just the public_html directory and database. because i am currently backing up only those folders.

I have VPS and my hosting company is taking the daily snapshots but what is the other way to be safe so that if i some rootkit infection then i can recover it.

Community
  • 1

3 Answers3

5

If your web server has a virus, the only safe thing to do is nuke in from outer space. That's right, put it onto the next space shuttle mission and make sure it's jettisoned far enough away from earth that we don't all get showered in EMP or fallout, and press the red button that makes it explode.

If that's unfeasable, too expensive, or you your local shopping centre has run out of nuclear bombs, then the only other way to make sure any virus is gone is to format the server. Your hosting provider may be able to assist you with this by setting up a 2nd VPS and giving you a month or so to move everything over before shutting down and deleting the current instance. Of course, if you just migrate everything over indescriminately from the old VPS to the new VPS then you'll likely bring the virus with you.

If you have customer data on there and there's a risk you're leaking that data or taking part in a botnet or a backdoor has been left in the system, then you have an obligation to your clients to do everything in your power, and simply scanning/removing any known virus isn't really enough because you just never know what they've left behind.

Regarding the backups, I would say you're doing the right thing, because you shouldn't have execute permissions on anything the public_html folder and the database is unlikely to be harbouring anything malicious.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • IF i get the new VPS and i need to make the all the websites running very soon which directory backups you think i need to do that so that all sites get running in least possible time. I mean all user accounts , apache setting , home directories , MX records , Canel whm setting –  Oct 08 '10 at 06:07
  • Good answer - except the bit about 'virus' - yes there's malware on Unix systems - but no virus in the wild since the Morris worm. – symcbean Oct 08 '10 at 12:10
  • @Master: the most common cause of system intrusions is insecure CGI code. Once an attacker finds a whole, they usually install further backdoros to get access - so by restoring your website you could well be restoring the route in to compromise the system. – symcbean Oct 08 '10 at 12:13
  • @symcbean , then what is the best way to restore bckups. how to find that websitecode is compromised , i mean what things to look foror how to scan that –  Oct 08 '10 at 13:19
  • @master: what symcbean is saying is that you most likely have a hole in your web code: be it cgi, php, perl or some bundled package, such as phpmyadmin, mysql, or other popular control panels/software tools. while restoring your data onto a clean system is a good thing, you should be looking for holes in your code that the attacker may have used to gain access to your system in the first place, or this will just happen all over again. there are other ways for attackers to gain access: bad passwords, plain ftp, unpached software (apache,mysql,phpmyadmin,control panels,drupal,wordpress,etc). – Cypher Oct 08 '10 at 18:00
1

I would suggest you keep backups of just your data: your site files and your database data. Keep those backups off the system. If you get infected or the server gets compromised, you can have your host "initialize" the server (reset to original state), you copy up your data and you are back online with a clean server.

I also suggest that you sweep your system and find out how you got infected/compromised in the first place and implement measures to prevent that from happening again.

Cypher
  • 1,079
  • 2
  • 17
  • 24
1

Backups, backups, backups. Sadly, there is no way to be sure that the rootkit is gone without formatting and restoring from backup. I would keep backups of the data directories of each of your services (webserver, so /home/*/public_html and /var/www; MySQL, probably /var/lib/mysql, read up on each service you use to find where the files are stored) and a backup of your configuration (/etc), and any local changes you've made to the system and home directories (/home/*, /usr/local/*) at bare minimum.

To further elaborate on potential rootkits, once they obtain root priviledges, it is possible for them to mask every sign that they exist on the infected system.

Darth Android
  • 545
  • 5
  • 12
  • -1: as commented elsewhere, most systems are compromised by bad website code. Having the bad website code on a tape ready to install on top of a clean machine is a very temporary fix. Usually rootkits are installed **after** the system has been compromised. – symcbean Oct 08 '10 at 12:15