OS and cPanel reinstall
Hi, well i dont know how they got in but it seems someone got in and has been running some bash scripts. Since this is the first time this has happened, i suspect via a support ticket either with my server provider or some other vendor they managed to get the password. They have been running some bash scripts under my account. But anyway it is what it is.
Moving forward i am having the server washed and set up again on CentOS 7 64 and cPanel via my server supplier. Then here is the plan to get this back up securely.
1. change root pw immediately
2. get csf firewall up right away
3. disable ftp completely (we are going to use SFTP anyway)
4. do not set up any accounts until the WHM and firewall security recomendations are met.
5. restablish ourselves with kernelcare to keep that updated
6. change ssh port
7. setup ssh keys only access
8. limit repositories on yum to very trusted only
9. do not install anything like composer or other third party dependency software.
10. run a scan on everything before creating accounts.
11. create accounts and keep everyone out until done.
12. secure all .htaccess files with "deny from all" code
Did i miss anything that is not here or part of item 4 above?
thanks
-
If you are going to restore any existing client filesets to the new server, ensure they have all been scanned and checked for altered/added files. Hackers often either add their code to existing files, or bury new files in existing folder structures that are unlikely to be inspected on a regular basis. Wherever you can, install websites and their themes and add-ons and plugins from scratch (especially CMS like Wordpress, Drupal etc) and carefully scan and inspect the content of any CMS database before restoring it. 0 -
Thanks, yes i am scanning them locally before i upload them :) 0 -
The only thing I would reiterate here is as @rpvw stated - check/scan the files but it sounds like you have that covered. 0
Please sign in to leave a comment.
Comments
3 comments