Hackers And You – Catching A Hacker And What To Do If Your Server Gets Hacked
Previously in our series on Hackers and You, we have looked at who hackers are, why they hack, how they go about hacking and what you can to do to try and stop them. Unfortunately, even if armed with all the knowledge and defense in the world, a hacker could still get into your server. So this time we’ll be looking at how to catch a hacker and what to do if you are hacked.
Detecting a Hacker
The first thing to note about hackers is that they will try as hard as possible to hide detection and what they’ve done to the server. Hiding malicious activity can involve creating additional user accounts, compromising management software, deleting log entries and other sneaky acts.
Step 1: Log Files
You will need to save your log files somewhere outside of the server doing the logging. If you are running multiple servers, it’s fairly standard to use a centralized logging server in order to make browsing logs easier than logging into each individual server. The benefit is that if a hacker breaks into your server, you have evidence of what they have been up to on your server, and more importantly where the compromise originated. You cannot detect the breach if log files are also compromised.
Step 2: Intrusion Detection Software
The next thing is to install intrusion detection software (IDS). This software will monitor vital system files that a hacker will attempt to modify or replace in order to prevent other hackers from getting in or secure them a future access point to the server. IDS will then either alert you to the changes being made or silently log the changes, depending on how you configure it.
Note that it is also important to keep backups of your server, again preferably on another system to prevent the hacker from easily tampering with them.
With any luck, between the intrusion detection software and good logging you should be able to catch your system being hacked without having to rely on users or third parties alerting you. This means that you can respond and clean up faster, possibly before your users even notice anything is amiss.
What do you do when you find your server has been hacked?
If you have been hacked, the first thing to do is not panic. There are tools that can help find and remove malware that a hacker may install on your server. Unfortunately, it’s not always guaranteed that tools will be able to fully remove the hack or close all backdoors that the attacker may have installed. It’s recommended that you take your own backups and start again with a clean slate on a new server, as it’s the only way to be absolutely sure that the hacker won’t get back in. Starting anew is also faster and easier than trying to disinfect a hacked system..
Building a great defense.
It is important that you look through the logs you have on your logging server in order to find how the attacker compromised the original server. If you don’t know how the intruder got in, you can’t ensure that any replacement server won’t be compromised through the same route. Once you’ve identified the initial attack vector, you can then look to prevent it. If hackers used a bug in the software, you can look to see if there is a patch available. Similarly, if they have used an exposed service that didn’t need to be exposed, you can look at improving firewalling next time.
With that, we are nearing the conclusion of our series. In the next and final part, we’ll be looking at some general advice in order to avoid hackers.