We need a server security attack to be identified and cleaned
- or -
Post a project like this3626
£25/hr(approx. $31/hr)
- Posted:
- Proposals: 2
- Remote
- #481457
- Awarded
Description
Experience Level: Expert
Estimated project duration: 1 day or less
We have received a report that our VPS server has been carrying out malicious network activity, including attacks on servers in Heart Internet's internal network.
More specifically, the server had made a huge number of connections to one of their load balancing servers, which caused a slowdown in general throughput for them.
We have been asked to investigate this, and reply with details of the measures that we have taken to -
1. identify the problem and
2. ensure that this does not happen in the future.
The most immediate issue is to get some resolution so that emails can be re-enabled across the 6/7 sites that are hosted on this server.
Please respond with a summary of what you will do systematically to identify the issue, resolve it, and then secure it so that the previous vulnerability is removed.
Additional Info
Heart Internet have advised about the problem:
Most often, this is due to a compromised website. The most common means by which sites are compromised is through vulnerabilities in their own code; you should ensure that all sites on your server are kept up-to-date, including the latest patches to core CMS software, modules, themes and plugins.
In the case of a site that has already been compromised, patching and updating is not sufficient; the site must be secured.
Simply deleting the files that have been uploaded is not sufficient either; a typical compromise involves making numerous modifications to a site, which are difficult or impossible to detect.
The only way to ensure that a site is secure (without involvement from an IT security professional) is to:-
- Remove all the site's files (both inside and outside public_html or the equivalent)
- Inspect the database contents for signs of tampering
- Change all passwords associated with the account (db, logins, mailboxes)
- Upload a clean copy of the CMS or a known clean backup (bear in mind that compromises are often carried out and left 'quiet' for weeks or months before being used)
- Immediately update all code to the latest release, ensuring that if any custom code is used, the developer has fully diagnosed the issue and patched appropriately
- Then, and only then, re-enable the site.
Occasionally, sites are compromised through other sites on the server, so it's worth checking any other sites on this server for any sign of compromise.
This may also be the result of your server being compromised. You should immediately run a scan for rootkits and other malware, and inspect your server for any unusual activity, logins or abnormal behaviour.
As all our server products are sold unmanaged, we are unable to offer hands-on support for your server, however if you require further security advice, please reply to this ticket and we'll be happy to help.
If you are unable to secure this server on your own, you may wish to engage the services of a suitably qualified IT professional.
Please note that if we continue to receive reports that this server is hosting compromised sites and you are unable to secure them, we may require you to rebuild your server, and we may be forced to suspend services until this has been completed.
Obviously, this is an absolute last resort for us, so your prompt attention to this matter is appreciated.
More specifically, the server had made a huge number of connections to one of their load balancing servers, which caused a slowdown in general throughput for them.
We have been asked to investigate this, and reply with details of the measures that we have taken to -
1. identify the problem and
2. ensure that this does not happen in the future.
The most immediate issue is to get some resolution so that emails can be re-enabled across the 6/7 sites that are hosted on this server.
Please respond with a summary of what you will do systematically to identify the issue, resolve it, and then secure it so that the previous vulnerability is removed.
Additional Info
Heart Internet have advised about the problem:
Most often, this is due to a compromised website. The most common means by which sites are compromised is through vulnerabilities in their own code; you should ensure that all sites on your server are kept up-to-date, including the latest patches to core CMS software, modules, themes and plugins.
In the case of a site that has already been compromised, patching and updating is not sufficient; the site must be secured.
Simply deleting the files that have been uploaded is not sufficient either; a typical compromise involves making numerous modifications to a site, which are difficult or impossible to detect.
The only way to ensure that a site is secure (without involvement from an IT security professional) is to:-
- Remove all the site's files (both inside and outside public_html or the equivalent)
- Inspect the database contents for signs of tampering
- Change all passwords associated with the account (db, logins, mailboxes)
- Upload a clean copy of the CMS or a known clean backup (bear in mind that compromises are often carried out and left 'quiet' for weeks or months before being used)
- Immediately update all code to the latest release, ensuring that if any custom code is used, the developer has fully diagnosed the issue and patched appropriately
- Then, and only then, re-enable the site.
Occasionally, sites are compromised through other sites on the server, so it's worth checking any other sites on this server for any sign of compromise.
This may also be the result of your server being compromised. You should immediately run a scan for rootkits and other malware, and inspect your server for any unusual activity, logins or abnormal behaviour.
As all our server products are sold unmanaged, we are unable to offer hands-on support for your server, however if you require further security advice, please reply to this ticket and we'll be happy to help.
If you are unable to secure this server on your own, you may wish to engage the services of a suitably qualified IT professional.
Please note that if we continue to receive reports that this server is hosting compromised sites and you are unable to secure them, we may require you to rebuild your server, and we may be forced to suspend services until this has been completed.
Obviously, this is an absolute last resort for us, so your prompt attention to this matter is appreciated.
Jerry F.
100% (35)Projects Completed
48
Freelancers worked with
33
Projects awarded
42%
Last project
10 Nov 2020
United Kingdom
New Proposal
Login to your account and send a proposal now to get this project.
Log inClarification Board Ask a Question
-
There are no clarification messages.
We collect cookies to enable the proper functioning and security of our website, and to enhance your experience. By clicking on 'Accept All Cookies', you consent to the use of these cookies. You can change your 'Cookies Settings' at any time. For more information, please read ourCookie Policy
Cookie Settings
Accept All Cookies