You can't avoid malicious attacks on powerful servers. Even if your security is perfect, you may still be paralyzed by attacks. Not only large enterprises, but also many small and medium-sized enterprises are facing such problems. that As operation and maintenance personnel, in addition to routine operations such as maintaining system security and repairing known vulnerabilities, they also need to know what to do when and after an independent server is attacked, so as to reduce possible losses and impacts. To solve this problem, there is no need to hurry up. Micron network will break down with you specifically to teach you how to defeat the enemy.
First of all, if we find that the server has been invaded, we should immediately shut down all website services and suspend them for at least 4 hours. At this time, many webmaster friends may think, no, the website has been closed for several hours, so how much loss should it be? But you want to think, is it a phishing website that may be modified by hackers that will cause great losses to users, or is it a website that has been closed that will cause great losses? You can skip the website to a single page temporarily and write some announcements about website maintenance. Secondly, Micronet recommends that you download the server log for specific analysis and conduct a comprehensive anti-virus scan of the server. This process takes about 1-2 hours, but it is a must. You must confirm whether a backdoor trojan is installed on the server, and at the same time, analyze the system log to see which websites hackers have passed and which vulnerabilities have entered the server. Find and confirm the attack source, and save the website where the hacker hangs his horse and the screenshot of the black webpage that has been tampered with, as well as the personal IP or proxy IP address that the hacker may leave behind.
Next, Windows systems generally have the latest patches, followed by mysql or sql database patches, php and IIS, serv-u, not to mention those things that often have vulnerabilities, and some virtual host management software used by IDC.
Next, we will close all suspicious system accounts, especially those with high privileges! Reset the permissions of all website directories, close the executable directory permissions, and perform unrestricted operations on image directories and non script directories.
After completing the above steps, you need to enter the administrator account password, as well as the database management password, especially the sql sa password and the mysql root password. You should know that these accounts have special permissions, and hackers can obtain system permissions through them!
The website server usually intrudes through website vulnerabilities. You need to check the website program (combined with the above log analysis), strictly check and handle all websites that can be uploaded and written into the shell. If the attack mode used by the attacker cannot be completely determined, the system needs to be reinstalled to completely eliminate the attack source.
The following points are the summary of Micronet about how to deal with the problem that the server is hacked. If you still don't know anything, please contact us. If you have more questions about the server, please consult Micronet. Micronet is an IDC service provider focusing on server rental and hosting. With more than 10 years of industry experience, it is safe, stable, reliable and reassuring. It is a leading enterprise in the domestic IDC industry. It helps thousands of enterprises to achieve network informatization, 7 * 24 hours of manual service, after-sales care free, and has a good reputation.
