Server exploited

Portal Home > Knowledgebase > Articles Database > Server exploited

Posted by oozypal, 03-01-2011, 07:32 AM
Hello, Someone exploited my dedicated server. He made few syomlinks to essential files under the root. I have removed those symlinks. Can you guys show me how to search for symlinks inside all public_html of all accounts. In addition, what should I do to improve security of my server. someone told me that there are out of the box default config that are security unsafe; how can I remove these config and secure the server. Thank you OOzy
Posted by Johnny Cache, 03-01-2011, 09:52 AM
Hello, Almost everyone here would suggest that you completely wipe and restore your server, without question, if it has been rooted. If you are using cPanel, I would suggest installing CSF/LFD after you wipe and reload your OS: http://www.configserver.com/cp/csf.html Hope this helps, good luck.
Posted by Patrick, 03-01-2011, 11:48 AM
If the attacker gained root you're better off deploying a new server and hiring a server management company to keep things secure. Security is not a one time thing, it's an ever changing process that constantly has to be worked on. Also, once a server has been rooted it should never be trusted again, despite any reassurances from various root kit checkers, etc. Play it safe, start off fresh.
Posted by Natcoweb, 03-01-2011, 03:46 PM
YOu could use find / -type l, but resetup wins anyway.
Posted by cpanellover, 03-01-2011, 05:33 PM
I agree a server that has been rooted cannot be trusted time to wipe...
Posted by M Bacon, 03-01-2011, 05:44 PM
You could try this tutorial too. The tutorial works with dedicated servers as well. http://www.webhostingtalk.com/showthread.php?t=468168