Security cleanup of a compromised dedicated server


This document is designed to give details on how to perform a basic online scan/cleanup of a compromised dedicated server.

If a host is compromised, an attacker may:

The only way to properly recover a compromised host is:

  1. Start from scratch on new hardware with known good backups; or

  2. Individually examine and repair each of the possibly compromised bits of hardware under a forensics lab style environment (outside the scope of what Anchor provides).

This procedure does NOT provide any guarantees that you will actually be able to find/cleanup the damage. Whilst this procedure is not foolproof, it may be sufficient under many circumstances as not all attackers will use the most sophisticated of techniques (how do you think you managed to detect that the host was compromised in the first place, eh?). It trades off the level of assurance that a host is in a non-compromised state against not losing data since the last backup and the downtime involved.

The clean up squad..

Other resources

Wiki: dedicated/Security_Cleanup_of_Compromised_Hacked_Cracked_Host (last edited 2008-09-26 12:51:30 by AndrewRogers)