More Web Hosting Articles	Web Hosting Specials RSS Feed

Intruder Detection Checklist

If you suspect that your server got hacked it is necessary to research the incident and to make sure that your server is clean. If indeed your server got hacked we recommend to completely wipeout the server and to rebuild it. Nothing is worse than having a backdoor wide open and someone you don't know spying on your or using your server for illegal activities.

Let Rackspace make the difference with reliable managed hosting solutions backed by Fanatical Support.™ 100% Network Uptime Money-Back Guar., 1-hour hardware replacement, 24/7 LIVE, MS and LNX certified technical support.

What needs to be done if you suspect your server to be hacked? Here is a quick checklist and some steps you can do to find out what is going on.

Look for signs that your System has been compromised

1) Examine all necessary log files
2) Check the system binaries
3) Examine any files run by 'cron' jobs and as 'at'.
4) Look for setuid and setgid Files
5) Check for packet sniffers on the server
6) Check for unauthorized services
7) Check system and network configuration
8) Examine /etc/passwd file
9) Look everywhere on the server for unusual or hidden files
10) Check with your server provider or data center to find out if they have noticed similar unusual activities

Check all your system binaries to make sure that the attacker has not altered them. We have seen intruders change programs on UNIX/Linux systems and make them look legit. Files to inspect: login, su, telnet, netstat, find, ifconfig, ls, df, du, libc, sync, and any binaries referenced in /etc/inetd.conf. Also check on other critical network and system programs and any shared object libraries on the server.

Compare the versions on your server with known good copies, such as those from your initial installation media or from a comparable machine that is known to be clean. You can also use this website to get the hash values of good versions: http://www.knowngoods.org/

Be careful with trusting your backups. Intruders are known to hide their 'presents' in the backup assuming that you will restore your system from a 'good' backup.

Again - we recommend wiping out the system and reinstalling from scratch or an image. You will also have to check how the intruder got in. So, patch your system and all applications once the OS has been reinstalled.

The CERT Coordination center has valuable information on their website. Make sure you spend some time there to get help:

http://www.cert.org

They also have a guide to recover from a compromised system. This guide can be found here:

http://www.cert.org/tech_tips/root_compromise.html

A good hacker will still beat you by using log cleaners and other tools. But this quick checklist is a beginning. If you cannot find the problem on the machine, you should consider hiring a security specialist to have your machine inspected beyond the steps described here.

Copyright Web Hosting Resource Kit

WHIR.com Sponsored Links > Apollo Hosting: Award Winning Website Hosting from $6.96 – Click Here! > iWeb: Quality servers. 3000GB of traffic for only $69 > TopLayer: SC Mag Recommended. Protect against DDoS Attacks & more. > Parallels: Automation and Virtualization. Buy ONLINE or Learn MORE! > Website Source: Powerful Website hosting starting at $6.85 > Rackspace: Managed Hosting Solutions That Bring Peace to Your IT World™ > GeoTrust: The Most Flexible SSL Partner Program > The Planet: Dedicated servers and managed hosting solutions > Buy and sell domains with the industry leader: www.Afternic.com. > SERVER4YOU: Dedicated servers – starting $29! > Serve customers, not servers, with Verio 360° Managed Servers > Cloudmark for SpamAssassin: Greatly boost accuracy & performance. Free Trial. > Sell More Services with Microsoft Services Provider Licensing!