Server hacked and shut down by 1and1 but I'm not a Linux person. Help?

G

Gloveny

Guest
Hi all.

I have a virtual private server which has been used for malicious intent. It came about because I was running an old version of Plesk on it and it got hacked.

1and1 have shut it down and won't switch it back on unless I re-image the server.
I'll need to back everything up. I only have SSH access to the server. Once backed up I'll need to go through all the files and check for malware, find it and remove it. Then re-image the server and then reinstate all the domains, databases and files for each domain.

I am not able to any of this. Is anyone here able and willing to help me?
I would need step by step instructions. I am not a linux administrator. I'm a web developer so can understand a fair amount, but when I have to run commands and thing I need very concise instructions.
e.g. type "COMMAND" into the SSH window command prompt....or run this from there.

Thanks
Graham
 


You're kind of put between a rock and a hard place here.

You can't back up your data unless the VPS is turned on, but 1 & 1 won't turn the VPS back on until you reimage the instance/VPS. The best thing you can do is ask 1 & 1 to provide you with a backup of the container and have them send it to you somehow (Dropbox, email, whatever they choose). If they don't do that then its a tough call.

You might also want to look into a different VPS provider. If you like, PM me and I can point you to some affordable ones that I've dealt with.
 
Your post is not really clear. In on sentence you say the machine is shut down. Then in another you say you have SSH access to the server. Which one do you have?

A shutdown server is of no use, but one with SSH access could be of use so that you can get data off of it.
 
Here is their email they sent me....

Please inform us when your server administrator is ready to perform the necessary maintenance, as we will only unlock your virtual server when you are prepared to immediately boot your server into repair mode, back up all of your files via scp, scan your files for malware, and reimage the server.
If we simply unlock the server before you are prepared to perfrom this maintenance, any DOS attacks or other malicious scripts will immediately re-initiate which will result in automatic re-locking of the server.
 
I;ve got about 20 domains on the server. 6 have fully functional websites with emails, databases and settings plus of course lots of files and folders.
I used to use SFTP to get onto the server and back stuff up. Never had anything like this to do before.
 
Not really sure what they mean by "repair mode" since its not a KVM, you don't have that type of access.

At any rate, what you should do is tar up the directories and files you need backed up, scp it to your local computer, then just reimage/reinstall the OS on the VPS.

However, with the fact it sounds like you're using the VPS for a hosting service most hosting control panels have a backup feature which will make it a lot easier for you.
 
I had Plesk which I guess could have done it but they have switched it off. Plesk (or the version of it) was the issue in the first place.
 
I had Plesk which I guess could have done it but they have switched it off. Plesk (or the version of it) was the issue in the first place.
Did you purchase Plesk through 1&1 or install it yourself?
 
it came with the VPS. When you re-image the server using there own interface, it gives you options on this bit....you get choice of version of linux and version of control panel - I chose a version of linux that had plesk as its control panel
If Only I set Plesk to auto update I wouldn't be in this mess.
I dont know what verison of linux Im on or even how to find out. Sad hey?
 
it came with the VPS. When you re-image the server using there own interface, it gives you options on this bit....you get choice of version of linux and version of control panel - I chose a version of linux that had plesk as its control panel
If Only I set Plesk to auto update I wouldn't be in this mess.
I dont know what verison of linux Im on or even how to find out. Sad hey?
Chances are 1&1 uses SolusVM, but even if not you can just log in to the VPS control panel (where it lists all of your VPSes) and it'll tell you which distro of Linux you're using. From there you can typically run a backup and just ask them to email you the backup.
 
If they'll allow you to go in and clean things up, I'd suggest you install something like cxs or maldet and do some scans to see what you can find - otherwise you'll just back up the stuff and upload it right into the re-imaged server.

To back it up, rsync or scp all the home directories to your local PC, then do some database backups..

If you only have ssh access, you can back up all of your databases using this script:
http://www.linuxbrigade.com/back-up-all-of-your-mysql-databases-nightly/

That will create dumps of everything at once instead of doing it one at a time. Then just download the sql files and import them into the new server.

I'd really suggest you hire someone to do it for you however if you're not comfortable with Linux.

Rob
 
Hi Rob. Thanks for that.
What about all the domains, would copying all the folders and files to a back up copy data and information for domain?
What I'm saying is when I re-image server will I have to create all teh domains again or does copying using rsync preserve all that?

Should I copy from the root ? What do you mean by home directory?
Thanks for answering. I'd like to have a go myself as I have no money.

Cheers,
Graham
 
I've abandoned plesk a while ago and have been working with cpanel for the past 4-5 years, so my suggestion would be to recreate each one in a new cpanel VM.. I believe plesk should have all of the domains in a mysql database, though I'm not sure.

You could grab a list of the domains from the apache conf file though.. complete w/ IP addresses, etc..

/etc/httpd/conf/httpd.conf (centos)
/etc/apache2/apache2.conf (I believe.. for debian.. though it could also be using vhosts files for each domain).

The home directories are where the website files would be located normally.. so you'd want to grab (for plesk) everything under /home/sites/ .. and normally, it would be /home/username..
 
Hi Rob. Thanks for that.
What about all the domains, would copying all the folders and files to a back up copy data and information for domain?
What I'm saying is when I re-image server will I have to create all teh domains again or does copying using rsync preserve all that?

Should I copy from the root ? What do you mean by home directory?
Thanks for answering. I'd like to have a go myself as I have no money.

Cheers,
Graham
When you re-image your server you'll lose everything, that is why doing a backup is important here. You can either back up each domain and restore it once you reimage or use rsync if you have that feature available to you.

One thing to make note of regardless is that you flagged for having a virus or otherwise malicious program on your server, so you need to keep a focus on finding that as well (Rob directed you to some helpful information on that).
 
Eric, yeah for sure. I've been wondering how. cxs or maldet are both server side tools I see. Is there something I can use on my PC this end which is a little more dumb-ass-friendly? If not I'll give those a crack.
I'd like to give this headache away to someone but I'm skint and I'm about to move to India of all places.
 
Eric, yeah for sure. I've been wondering how. cxs or maldet are both server side tools I see. Is there something I can use on my PC this end which is a little more dumb-ass-friendly? If not I'll give those a crack.
I'd like to give this headache away to someone but I'm skint and I'm about to move to India of all places.
Most anti-virii programs will pick up on these things, I recommend ClamAV personally. If I remember correctly ClamAV will also scan archives so you don't have to extract the backups just to scan then repackage them.
 

Members online


Top