Server hacks happen to even the most secure servers and the attackers find out new security loopholes with each passing day. Full security is a myth. But we can take measures to face a breach if we targeted. Be realistic and understand in detail about the disaster that has happened and take actions to manage the situation.
Ideamine will help you with a complete plan of action in case of a hack attempt. Our plan of action:
Limit network access: Take your site offline if only the domain has been attacked. Connect the server via console or ILO and bring down the network interface. The affected systems are not taken back on-line until completely recovered.
Update Passwords: Update all passwords used on the compromised machine
Investigate the breach: Figure out how exactly the compromise took place and track down the area of vulnerability. Check the available server logs and bash history. Identify the files which were uploaded from the day you suspect a compromise and analyze the intent. Fix the problem that caused the compromise.
Preventive measures: Keep a firewall in place and allow only required access to the server while blocking everything else. Install a root kit detection tool and scan the server. Clean up the server or site. If required to start from a fresh installation and transfer good contents after making sure they are not infected.
Best practices we recommend:
Keep an eye on network usage pattern and bandwidth consumption. Identify a baseline metric which is checked against usage with any monitoring tool. Dig deep if you notice any anomalies.
Scan the ports and files held open by processes and if found suspicious track the originating directory of the process
Review the access logs to analyze the account logins and server access.
Check the system binaries for any compromise. Use strings to analyze the output from binaries. You may also check the integrity of the package to which the binary belongs.
Keep the OS updated with all available security patches.
Regularly audit all the codes uploaded on to the server for any vulnerabilities.
Keep all third party plugins or themes used in your sites updated.
Monitor your server closely for any more attacks.
Form a strict security policy to be followed in all the server related tasks.