Cleaning compromised servers


I work at a cloud infrastructure company with immediate level 3 phone and email support; we’ll even make Slack channels or whatever else. I know, it’s shocking such a thing exists!

This is one of the most common questions my colleagues get asked, how do I clean compromised servers? I’m tempted just to get them to refer to this cPanel article:

When a root account is compromised, users often ask how they can “clean” their server. To put it as succinctly as possible: without knowing every action that has ever taken place on a server, it is impossible to prove that the server is completely clean. While it is simple to show a compromised server, showing the opposite, for all intents and purposes, is not.

Even my honeypots get blown away and rebuilt rather than cleaned. Worries aside, rebuilds are just easier to do, especially if you use something like Ansible and have proper backups.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.