Attackers made a backup root on one of my website. What should I do?

Lukewalker18

Attackers made a backup of root folder on one of my website folder. They know about every site source code and database on my site except the root account I guess.
What should I do first? How to prevent this incident?

Please help

aaPanel_Kern

Hello, it is recommended to check what is causing the problem first.

Is the ssh login account and password too simple? Have you changed the ssh port?
Do you use genuine website programs? Do you use genuine website program plug-ins?
Is there a security hole in the website program used?
Is there a security hole in the system?
Do not execute unknown programs and scripts in the system at will
Pay attention to backup data daily

Lukewalker18

aaPanel_Kern

SSH login is using strong password
I only used apps from the aapanel app store
Yes there is a security hole in 1 of the website. But we don't know how. We don't have proper cyber security team.
No I guess. We use Centos. Do we need change to Ubuntu?
Never
We did backup all of our sites in aapanel, but is it possible for the hacker write hidden scripts in the other websites?

So there's a chance that the hacker know our operating system password?
I changed all the database password for each site. I haven't change the aapanel login password and the operating system password

the dashboard doesn't show any suspicious traffic.

We don't know since when this happened. We have only last 3 backup on each site. Is it okay to restore and move to another server? is there any risk (already planted script/etc)?

aaPanel_Kern

it is recommended to do a snapshot backup on the server first
Check whether the data is complete and back up related data
Change website password, database password, operating system password
Back up relevant data and download it locally,
Reinstall the system, build the website and restore the data

aaPanel_Kern

It needs to be checked to know whether there is an implanted script.
What is the program of the website? Can the existing security holes be fixed according to the tutorials on the official website?

Lukewalker18

aaPanel_Kern

It's an information system about electronic purchasing for government. Yes it can.

Thanks for you advices. We really appreciate your help.

One last question. How do I transfer my pro license to another server? I just made the new server that using different IP

aaPanel_Kern

Lukewalker18
Yes, go to our official website to unbind, and then bind on the panel of the new server.
https://www.aapanel.com/user_admin/order_list

klaus

So there's a chance that the hacker know our operating system password?

If he know that you would not have access to the server anymore.

If they did a backup of your source code then you can expect for new attacks if they found a breach without knowing your source code then now is a walk in a park for them.

If your source code is expensive or really desirable they would sell it online as well. And ofcourse the databse if contains clients data that would be again public.

If you have the original scripts before the attack you can compare with WinMerge. If you don't have then you need to check the code line by line, look for obfuscated code, they put that normally on public pages but they could remove the access restrictions on the backend of the source code so you will need to check every file.

Hire a cyber security analyst and make a proper code check.

aaP_hareeshnarayan1982

klaus Rule Number 1: Don't use password, use a ssh key
Rule No: 2 add a Sudo user and disable root.

klaus

aaP_hareeshnarayan1982 They attack his website and if they put a rootkit they can check the server files in this case they had access to the content from wwwroot without any ssh access because they didn't need one all the folders are under www ownership so they could backup them with simple php script and download the data.

That's why the majority use obfuscated code for php once they put it in a production server so they can limit this types of attacks.

Some don't even bother to write a custom class for the database connection so is much harder to guess exactly how it is used when the code is obfuscated.

SSH keys are more secure then a password.

SSH root access on a production server was allways a stupid thing but this time would not help him too much if was disabled anyway.

aaP_hareeshnarayan1982

klaus yes.

Lukewalker18

klaus

Thanks for the advice. Really helpful

I have another questions. Is there any software that can prevent attackers to exploit bad code? Does activating apache wav or nginx wax can prevent that? Can software like Immunify360 prevent that too?

2nd, Does software such as paid online pentest tools is enough to do a proper code check?

aaP_hareeshnarayan1982

Lukewalker18 You can do a 3rd party audit of the code.

klaus

Lukewalker18 You can use tools like https://github.com/FloeDesignTechnologies/phpcs-security-audit to check your code and refactor it.

Almost all attackers use the headers to find flaws in the code securing them with https://github.com/BePsvPT/secure-headers will decrease the chance to find flaws in the code.

This is kind of old but it still have the basics https://github.com/marcocesarato/PHP-AIO-Security.

I like to encrypt as much code and sensitive data as possible, https://github.com/paragonie/ciphersweet this is a good aproach to do it.

Use custom sql queries, like let say now you use mysqld change it to something like mysqlcustomquery, and obfuscate the php that contains sensitive data like the mysqlserver.php wich contains your database details, and obfuscating all the code make the attackers to go blind over sql queries. It is still possible to delete the mysqlserver.php and show the error code so you should desactivate php error reporting. In php.ini modify display_errors to OFF.

Allways use minimal code in the frontend and use a folder outside your web directory to store the backend files so even if the hacker manage to get access to the frontend they are limited to the public files and without knowing the database queries they can't dump the database.

Public in www/wwwroot/yourwebsite , Backend let say in the home directory of linux you can put that directory like ~/home/backend1.

Use CloudFlare or another CDN with a good dns management so your server ip is protected, i recommand using a IPv6 because IPv4 is reused now and you can get a IP that was attacked in the past or have a active attack over it.

And allways check your javascripts to be updated because some attacks use javascript to find holes in the system.

And in final i'm always against control panels on a production server that is my choice so is pretty personal.