If your dedicated server got hacked and compromised and you want to fix it.
Best way is to reinstall your server and also perform these steps
The first step will be to identify, in clamAV report, the file that used to be regular file of the website. Those files could have been infected by code injection, and need to be analyzed by the developer to be fixed.
You may run this command
1- clamav update :
# freshclam
The other infected file could have been uploaded in the server because of too permissive permission on files/folders in the website.
You’ll have to rectify those permissions, and delete the infected file.
ClamAV anti-virus software can help you to delete the infected files (or move to quarantine) but will not fix the security failure, that is why you’ll have to investigate infected files/folder manually. To run a virus scan use this 1 line command and move infected files to /var/infected/
# i=”/var/infected/” ; mkdir -p $i ; chown root:root $i ; chmod 700 $i ; clamscan –include-dir=/home/ –include-dir=/root/ –include-dir=/tmp/ –quiet -r -i -l /var/log/clamav/ClamScanReport`date +%Y%m%d%H%M`.log –move=$i /* ; chmod 0 $i
In a more proactive way, you can see all folders that have a too permissive permission setting (777) in the log /root/wrongPERM.log from the command locate wrong permission folders :
# find /home/*/public_html -type d -perm 777 > /root/wrongPERM.log
You should fix the permission and test for all of the websites (usually a 711 or 755 permission in enough for folders into public_html, and 644 for files). You should contact each webmasters and ask them to contribute to their website security, and ask then also to update their website programs (like wordpress).
Finally through these steps you can find prompt message or log files /root/wrongPERM.log and /var/log/clamav/ClamScanReport*.log to deal with all the issues.
Add a Comment