Obviously every server owner hopes this will never happen: server hacking.
Since these things can happen, here are some tips to prevent server hacks, and advice on what you should do if this ever happen to you.
Read on to find out what you can do if a server hack happens to you.
In order to prevent your server from being subject to hacks, follow the steps below:
Choose a complex password
Prevention of server hacks starts as soon as a server is installed: you are asked to choose a root password and as simple as it may sound, you should choose a very complex password.
Example: "P@ssw0rd" is not particularly safe.
Here is a website that could prove useful in generating complex and safe passwords: http://www.safepasswd.com/
Don't leave your password lying around
Don't leave your password lying around and remember to turn off the browser password remembrance option. Your computer can also be hacked and storing passwords this way can be just as dangerous.
Install a proper antivirus software on your computer
Keyloggers (a specific type of virus software that can log keystrokes on your computer) can try and figure out your passwords which are then forwarded to a third party who can abuse it. Make sure you have proper anti-virus software installed on your computer to keep key loggers out.
Make sure applications on your server are only available to the users that they're applicable for
Having applications widely available for everyone who accesses your computer (whether they have your permission or not) can lead to abuse of these applications.
An example: if only specific users can work with FTP/SSH, make sure any other IPs are being firewalled for these applications.
Run regular scans for chrootkits/virusses etc.
Monitor your server using a watchdog application. If you find that certain applications are causing problems that cannot be related to your websites, there could be issues on your server. Watchdogs can also offers server checks against rootkits and viruses.
Beware: a watchdog will also inform you when server components are out-dated. It is recommended that you update these components UNLESS your applications require a specific version of the component.
CONTENTS
a. Clean up unnecessary files. Make sure that you do not publish online documentation/readmes/changelogs or other footprints necessary for certain applications. This will make it easier for hackers to access your websites and data.
b. Carefully choose the rights you set up for applications.
Very often files and/or applications are being uploaded with chmod 777. This means that anyone who can access the files can read, write or execute the files. If this is unnecessary, block these rights so only the appropriate users have access to it.
c. Make sure you store sensitive data in a secure format, such as a database.
Unfortunately, many still use simple text files to store sensitive data. Such files are not encrypted and, if they end up in the hands of hackers, can be used for all kinds of unwanted actions.
d. Make sure content you publish cannot be abused
Content can be used to launch hacks on others, so make sure you protect your content.
An example of something that happens quite often are (My)Sql injections. Read more on this at http://en.wikipedia.org/wiki/SQL_injection
e. Free software doesn't often come free.
Numerous free versions of (web) applications which normally have to be paid for can often be found for free on the Internet. Very often though these applications have codes in them used to retrieve your secured data.
Make sure you have a backup of your data
If there is a problem with your server, and you need to reinstall your server or migrate to a new one, the fastest way to get everything back online is by having a backup of your data that can be easily uploaded.
Please make sure you store your data in a different location than the server itself.
As a general rule, try and always keep your system up-to-date.
Don't take any risks: protect your server and your hard work!
Curing a hack
Hacks are a very common occurrence, here are some instructions on what you should do to prevent your server form hacks.
Hack 1 - Root password has been changed
In case your root password has been changed, use the Recovery mode. You can find it in the Control Panel. This tool mounts the drive in recovery, after that you can chroot the drive and change the password. Once you've done this, unmount the drive and restart your server in normal mode.
Please take notice that while your server is in recovery mode, all websites, emails etc. are unavailable.
Hack 2 - Plesk password has been changed
In case Hack 1 and Hack 2 have not happened simultaneously you can change your Plesk password using an SSH connection (in case both Root and Plesk passwords have been changed, please solve Hack 1 first then proceed on solving 2).
In SSH enter:cat /etc/psa/.psa.shadow
The password will be shown
In case the shadow file has been deleted you will need to:
#/etc/rc.d/init.d/psa stopall
(this stops all Plesk services)
#/usr/local/psa/mysql/bin/safe_mysqld -skip-grant-tables &
or
#/usr/bin/safe_mysqld -skip-grant-tables &
(this starts MySQL, and skips the grant [password] table)
#/usr/local/psa/mysql/bin/mysql mysql
(this logs in on MySQL)
#use mysql
#FLUSH PRIVILEGES
#SET PASSWORD FOR admin=PASSWORD(your-password-here)
(copy this entry and replace 'your-password-here' with your new password)
#exit
(back to MySql and you're logged into the shell as root)
#killall mysqld
or
#/etc/rc.d/init.d/mysqld restart
(this stops the MySql daemon)
#/etc/rc.d/init.d/psa start
(this starts Plesk, which in turn will start the MySql daemon with the new password)
Your mailbox is hacked
Solving this issue depends on how your mailbox has been set up.
In case your mailbox is on the Register.it platform (that is, not on your server)
Log in on your Control Panel and select the applicable domain name. Click on email then on Configure your mailbox. Here you will find the option to change the password for your mailbox.
In case your mailbox is on Plesk
Log on to your server and select the domain. Go to Mail accounts and select the account. Change the password via the Preferences settings.
Unknown files appear/disappear in your FTP
In that case, someone probably stole your FTP username and password.You will need to create and set up new users and passwords. As with the mailbox hack, there are 2 ways to do this:
1. 1. If you use the Register.it FTP (not the Plesk FTP)
Log in on your Control Panel and select the applicable domain name. Go to FTP (You should have a Hosting Linux or Windows pack to select these options first). Delete the existing user and create a new one using a brand new password.
2. If you use your Plesk FTP:
Log on to your server and select the domain. Go to Web Hosting Settings and change the user settings for FTP. If you use Plesk 10 you have the option to set up multiple users; delete existing ones and create new ones. If you previously set up jailed users via SSH than you need to delete those users here.
Your application has been hacked/you don't know exactly what has been hacked
If your application has been hacked or you think your server has been hacked completely, the best choice is to Reinstall the server. This can be easily done through your Control Panel and will let you start with a clean slate. Though this will mean a downtime for your websites, this remains the best and safest possible way to make sure no one has access to your server anymore.
When reinstalling it is very important to have a backup of your data. Please make sure you have a clean back up before acting.
