Dear forum. How to stop a backdoor attack on a production server? The attacker managed to upload a script to the Wordpress root folder, from where this script (I have read it) probed the system and reported back. The backdoor script provided a login page, and after logging in, a menu over things to do on the compromised system, like upload or move around files.
A new server was built from scratch, and data transferred to it. After a few days, it became clear that the attacker also had compromised the new system, so his tools had followed with the moving to the new server. The only non-vetted code that was brought over to new machine was the mysql database and the whole wordpress directory structure, with plugins and themes.
Can anyone give some advice about how to stop this attack? I am now at the stage where I have yet another server ready, but won't bring any code over until vetted. But how to go through all this information and find the malicious items? And most importantly: how did the attacker get access in the first place? Just this morning, he managed to put the backdoor script on the server again. Where, how does (s)he enter? And is there any way to find out exactly what type of malicious script this is, its history, its functionality, etc, from studying the code, or sending it to someone who has time and competency in such things?
A new server was built from scratch, and data transferred to it. After a few days, it became clear that the attacker also had compromised the new system, so his tools had followed with the moving to the new server. The only non-vetted code that was brought over to new machine was the mysql database and the whole wordpress directory structure, with plugins and themes.
Can anyone give some advice about how to stop this attack? I am now at the stage where I have yet another server ready, but won't bring any code over until vetted. But how to go through all this information and find the malicious items? And most importantly: how did the attacker get access in the first place? Just this morning, he managed to put the backdoor script on the server again. Where, how does (s)he enter? And is there any way to find out exactly what type of malicious script this is, its history, its functionality, etc, from studying the code, or sending it to someone who has time and competency in such things?
No comments:
Post a Comment