Server hacked and shut down by 1and1 but I'm not a Linux person. Help?

Discussion in 'Web Server' started by Gloveny, Oct 16, 2013.

  1. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Hi all.

    I have a virtual private server which has been used for malicious intent. It came about because I was running an old version of Plesk on it and it got hacked.


    1and1 have shut it down and won't switch it back on unless I re-image the server.
    I'll need to back everything up. I only have SSH access to the server. Once backed up I'll need to go through all the files and check for malware, find it and remove it. Then re-image the server and then reinstate all the domains, databases and files for each domain.

    I am not able to any of this. Is anyone here able and willing to help me?
    I would need step by step instructions. I am not a linux administrator. I'm a web developer so can understand a fair amount, but when I have to run commands and thing I need very concise instructions.
    e.g. type "COMMAND" into the SSH window command prompt....or run this from there.

    Thanks
    Graham
    DevynCJohnson likes this.
  2. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    124
    Likes Received:
    87
    Trophy Points:
    28
    You're kind of put between a rock and a hard place here.

    You can't back up your data unless the VPS is turned on, but 1 & 1 won't turn the VPS back on until you reimage the instance/VPS. The best thing you can do is ask 1 & 1 to provide you with a backup of the container and have them send it to you somehow (Dropbox, email, whatever they choose). If they don't do that then its a tough call.

    You might also want to look into a different VPS provider. If you like, PM me and I can point you to some affordable ones that I've dealt with.
    Rob likes this.
  3. grim76

    grim76 Active Member Staff Writer

    Messages:
    177
    Likes Received:
    48
    Trophy Points:
    28
    Your post is not really clear. In on sentence you say the machine is shut down. Then in another you say you have SSH access to the server. Which one do you have?

    A shutdown server is of no use, but one with SSH access could be of use so that you can get data off of it.
    Eric Hansen likes this.
  4. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Here is their email they sent me....

    Please inform us when your server administrator is ready to perform the necessary maintenance, as we will only unlock your virtual server when you are prepared to immediately boot your server into repair mode, back up all of your files via scp, scan your files for malware, and reimage the server.
    If we simply unlock the server before you are prepared to perfrom this maintenance, any DOS attacks or other malicious scripts will immediately re-initiate which will result in automatic re-locking of the server.
  5. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
  6. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    I;ve got about 20 domains on the server. 6 have fully functional websites with emails, databases and settings plus of course lots of files and folders.
    I used to use SFTP to get onto the server and back stuff up. Never had anything like this to do before.
  7. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    124
    Likes Received:
    87
    Trophy Points:
    28
    Not really sure what they mean by "repair mode" since its not a KVM, you don't have that type of access.

    At any rate, what you should do is tar up the directories and files you need backed up, scp it to your local computer, then just reimage/reinstall the OS on the VPS.

    However, with the fact it sounds like you're using the VPS for a hosting service most hosting control panels have a backup feature which will make it a lot easier for you.
  8. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    I had Plesk which I guess could have done it but they have switched it off. Plesk (or the version of it) was the issue in the first place.
  9. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    124
    Likes Received:
    87
    Trophy Points:
    28
    Did you purchase Plesk through 1&1 or install it yourself?
  10. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    it came with the VPS. When you re-image the server using there own interface, it gives you options on this bit....you get choice of version of linux and version of control panel - I chose a version of linux that had plesk as its control panel
    If Only I set Plesk to auto update I wouldn't be in this mess.
    I dont know what verison of linux Im on or even how to find out. Sad hey?
  11. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    124
    Likes Received:
    87
    Trophy Points:
    28
    Chances are 1&1 uses SolusVM, but even if not you can just log in to the VPS control panel (where it lists all of your VPSes) and it'll tell you which distro of Linux you're using. From there you can typically run a backup and just ask them to email you the backup.
  12. Rob

    Rob Administrator Staff Member

    Messages:
    575
    Likes Received:
    225
    Trophy Points:
    43
    If they'll allow you to go in and clean things up, I'd suggest you install something like cxs or maldet and do some scans to see what you can find - otherwise you'll just back up the stuff and upload it right into the re-imaged server.

    To back it up, rsync or scp all the home directories to your local PC, then do some database backups..

    If you only have ssh access, you can back up all of your databases using this script:
    http://www.linuxbrigade.com/back-up-all-of-your-mysql-databases-nightly/

    That will create dumps of everything at once instead of doing it one at a time. Then just download the sql files and import them into the new server.

    I'd really suggest you hire someone to do it for you however if you're not comfortable with Linux.

    Rob
  13. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Hi Rob. Thanks for that.
    What about all the domains, would copying all the folders and files to a back up copy data and information for domain?
    What I'm saying is when I re-image server will I have to create all teh domains again or does copying using rsync preserve all that?

    Should I copy from the root ? What do you mean by home directory?
    Thanks for answering. I'd like to have a go myself as I have no money.

    Cheers,
    Graham
  14. Rob

    Rob Administrator Staff Member

    Messages:
    575
    Likes Received:
    225
    Trophy Points:
    43
    I've abandoned plesk a while ago and have been working with cpanel for the past 4-5 years, so my suggestion would be to recreate each one in a new cpanel VM.. I believe plesk should have all of the domains in a mysql database, though I'm not sure.

    You could grab a list of the domains from the apache conf file though.. complete w/ IP addresses, etc..

    /etc/httpd/conf/httpd.conf (centos)
    /etc/apache2/apache2.conf (I believe.. for debian.. though it could also be using vhosts files for each domain).

    The home directories are where the website files would be located normally.. so you'd want to grab (for plesk) everything under /home/sites/ .. and normally, it would be /home/username..
    Eric Hansen likes this.
  15. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    124
    Likes Received:
    87
    Trophy Points:
    28
    When you re-image your server you'll lose everything, that is why doing a backup is important here. You can either back up each domain and restore it once you reimage or use rsync if you have that feature available to you.

    One thing to make note of regardless is that you flagged for having a virus or otherwise malicious program on your server, so you need to keep a focus on finding that as well (Rob directed you to some helpful information on that).
  16. Gloveny

    Gloveny New Member

    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    1
    Eric, yeah for sure. I've been wondering how. cxs or maldet are both server side tools I see. Is there something I can use on my PC this end which is a little more dumb-ass-friendly? If not I'll give those a crack.
    I'd like to give this headache away to someone but I'm skint and I'm about to move to India of all places.
  17. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    124
    Likes Received:
    87
    Trophy Points:
    28
    Most anti-virii programs will pick up on these things, I recommend ClamAV personally. If I remember correctly ClamAV will also scan archives so you don't have to extract the backups just to scan then repackage them.

Share This Page