Find us on social media

Client area
IncidentsForensicsRecovery6 min read

Security incident response

Detect compromises, isolate server, basic forensics, cleanup and post-incident hardening.

Signs of compromise

Indicators that your server may be compromised:

  • Unknown processes consuming CPU/RAM
  • Recently modified files without explanation
  • Network connections to unknown IPs
  • New users you didn't create
  • Deleted logs or temporal gaps
  • Cron jobs you didn't configure
  • Unusual network traffic

Step 1: Detect the compromise

bash
# Suspicious processes
ps aux | grep -v "\\[" | sort -k3 -rn | head -20

# Active network connections
ss -tulnp
netstat -antup

# Users with login shell
grep -v '/nologin\|/false' /etc/passwd

# Recent logins
last -20
lastb -20

# Cron jobs for all users
for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null; done

# Files modified in the last 24 hours
find / -mtime -1 -type f -not -path '/proc/*' -not -path '/sys/*' 2>/dev/null

Step 2: Isolate the server

If you confirm the compromise:

bash
# Option 1: Block all traffic except your IP
sudo iptables -F
sudo iptables -A INPUT -s YOUR_IP -j ACCEPT
sudo iptables -A INPUT -j DROP

# Option 2: Disconnect from network (from Baires Host panel)
# Use VNC console to continue accessing

Step 3: Basic forensics

bash
# Search for common backdoors
find / -name "*.php" -exec grep -l 'eval(base64_decode' {} \;
find / -name "*.php" -exec grep -l 'system(\$_' {} \;

# Verify binary integrity
debsums --changed

# Find suspicious SUID files
find / -perm -4000 -type f 2>/dev/null

# Review authorized_keys for all users
find / -name authorized_keys -exec cat {} \;

# Check /tmp and /dev/shm
ls -la /tmp /dev/shm

Step 4: Clean and restore

Option A: Restore from clean backup

  1. Reinstall OS from Baires Host panel
  2. Apply basic hardening
  3. Restore data from last clean backup
  4. Change ALL passwords

Option B: Manual cleanup

  1. Remove identified malicious files
  2. Remove unauthorized users
  3. Remove suspicious cron jobs
  4. Reinstall compromised packages: sudo apt install --reinstall package
  5. Change all passwords and SSH keys

Step 5: Post-incident hardening

  • Update all software
  • Review and strengthen SSH configuration
  • Verify fail2ban is active
  • Review firewall rules
  • Enable auditing with auditd
  • Implement continuous monitoring

When to contact support

Contact Baires Host support if:

  • You can't determine the entry vector
  • The compromise affects network infrastructure
  • You need to restore from provider backups
  • You suspect the attack comes from another server on the network

Recommendations

  • Document everything you find during investigation
  • Don't reboot the server before collecting evidence
  • Change passwords from a clean device
  • After the incident, implement proactive monitoring
  • Consider hiring a professional security audit
Was this guide helpful?
← Back to Security