This article only serves to give you a brief overview of the security flaws on the servers and to show you the possibilities which are open to you to analyze the errors.
Furthermore, compromised server structures are too complex to describe clear ways to solve your problems.
If you have little experience in server administration, we recommend that you use analysis tools.
Checkrootkit: http://www.chkrootkit.org/
Rootkit Hunter: http://www.rootkit.nl/projects/rootkit_hunter.html
Tip : we also recommend that you install the SSH service on your Linux server even more securely and offer you, as a user manual, the following article from the FAQ of STRATO FAQ: How can I install, even more securely, the SSH service on a Linux server?
Security breaches:
1. Installed software
The software / services installed on the server (qmail, Apache, FTP, MySQL, etc.) can present security vulnerabilities. It is very easily possible for third parties to know which software is installed on your server (example: nmap -A HOST [indicates open ports and which software / software version is running on this port]). In the event of known security breaches, burglary is then relatively easy.
Preventive measures you should pay attention to : regular updates of the software you use.
2. Dynamic websites
In general, we can say that security holes are very often present on dynamic websites. Most content management systems, forums, blogs, boards, etc. offer file upload possibilities (Joomla, Mambo, PostNuke, phpBB, TYPO3, WordPress, etc.).
It is therefore possible that faulty files are encrypted on the server. Security flaws can however also come from poor programming of these dynamic systems. Regarding the usual content management systems, security vulnerabilities are detected and patches are offered quickly. This is why we recommend that you regularly update the systems you use.
3. PHP settings
Bad PHP settings can also cause security breaches. This is especially true for the options register_globals and safe_mode.
If the PHP option register_globals is activated (ON), it is relatively easy for third parties to encrypt the PHP code (manipulation of the variable, injection of the code). This is the reason why it is recommended here to set this value to OFF.
This also applies to the PHP option safe_mode. If the
safe_mode option is OFF, third parties can also compromise the
server. This is why we recommend that you also activate the safe_mode
option here. An even safer alternative would be to use PHP as a program
(suPHP) instead of the Apache module.
What to do when the server is compromised?
You should first try to identify the process. To do this, focus on the following points:
- Monitor traffic on the network card at regular intervals (tools: ifconfig, netstat ). Excessive traffic can be a clue;
- Check for the presence of unusual / unknown ports on which there are unusual / unknown programs (for example with netstat -anp ):
- Display processes and find and terminate unknown / unusual ones (for example using ps axf -Aef ); Note: Always delete the parent process, since deleting child processes often does not have the desired effect;
- Examine the advanced attributes of the file. Malicious files / scripts can have advanced file attributes (usually the i attribute that prevents deletion of these files).