Compromised servers – a Broad overview

Hacking: (According the the Cambrige dictionary)

The activity of illegally using a computer to access information stored on another computer system or to spread a computer virus

Hacking is now much more sophisticated and harder to detect than a few years ago.

A hacked server refers to a server being compromised as stated in the heading

How? #

Potentiality all electronic devices can be hacked in the sense that they can be used in unlawful activates. The more complex the system the more security measures will need to be put in place to prohibit unauthorised access. Below is a list of how hackers can gain access to a system, in particular a web server. Placing your server in a public domain will attract welcome and unwelcome visitors. The process of securing your server can be compared to locking your front door and installing a security system in real life. Being aware of what types of methods unwelcome visitors use to try and access your server will help to secure it. Below is a list of common exploits, you can click on the links to learn more about them on Wikipedia.

What? #

What areas are being targeted by hackers, what are the main areas to focus on, remember that a chain is only as weak as its weakest link. All of the software components below will form an enforced barrier around you core business activities. Once again you can follow the links to learn more from a security perspective.

  • Passwords
  • FTP
  • Cpanel
  • MySQL
  • PHP
  • WordPress
  • Email
  • Payment gateways
  • Crypto Miner
  • Phishing websites
  • Phishing emails

Symptoms: #

So I have not been able to secure my server or I suspect that something is wrong, what are the symptoms of a possible hack? The first line of defence is to check your server performance on a regular basis and be familiar with the normal operation parameters. Here historical data like CPU usage memory usage and bandwidth usage could be invaluable. Most of these statistics are available free as part of your hosting package and can be viewed as graphs. (You can also open a ticket with your friendly hosting provider if you think your server has been compromised.) Below the link list from a security perspective.

  • A large number of tcp/ip connectons
  • Unable to log into WordPress
  • seeing stange code – WP or apche
  • looking at logs Security
  • High CPU/Apache process count
  • long running sql Queries/joint statements
  • Cannot send or receive emails
  • Strange links on your website/code
  • Out of bandwidth

Precautions: #

What can I do extra to secure my server? Below is a list of software that you can install on top of you current configuration. If you are not technically inclined rather get professional help as there are other risks that may cause your attractive website to crash. For those who are brave enough (or not so brave) you can have a look at the details:

Getting more technical: #

The tools below can be used for those brave enough to delve deep into the operating system if you have access to a Linux based hosted server. These options are not available if you are using Cpanel, Joomla or WordPress. The command below will usually be used by the technical support division at your hosting company or a tech savvy reseller. Using these commands on a live website could have adverse effects so my advice would b is to use them in an isolated environment until you know how to use them and is beyond the scope of this article. I have however included some real life examples of the logs below to give you an idea of the kind of information that could be gained from those logs.

Commands: #







Log files: #


Dec 16 02:55:01 systemd: Started Session 893076 of user pinguzo.

Dec 16 02:55:02 systemd: Started Session 893077 of user munin.

Dec 16 02:55:02 systemd: Started Session 893081 of user root.

Dec 16 02:55:02 systemd: Started Session 893082 of user root.

Dec 16 02:55:20 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1x:4xx2:xx:c2:2d:xx:ex:3x:98:10:01:08:00 SRC= DST= LEN=40 TOS=0x08 PREC=0x00 TTL=243 ID=25160 DF PROTO=TCP SPT=3082 DPT=7547 WINDOW=14600 RES=0x00 SYN URGP=0


Dec 16 02:56:09 sshd[24765]: refused connect from (

Dec 16 03:29:07 sshd[8425]: refused connect from (

Dec 16 03:30:02 sshd[8675]: refused connect from (

Dec 16 03:48:53 atd[18157]: pam_unix(atd:session): session opened for user root by (uid=0)

Powered by BetterDocs