Cleaning compromised servers

Software

I work at a cloud infrastructure company with immediate level 3 phone and email support; we’ll even make Slack channels or whatever else. I know, it’s shocking such a thing exists!

This is one of the most common questions my colleagues get asked, how do I clean compromised servers? I’m tempted just to get them to refer to this cPanel article:

When a root account is compromised, users often ask how they can “clean” their server. To put it as succinctly as possible: without knowing every action that has ever taken place on a server, it is impossible to prove that the server is completely clean. While it is simple to show a compromised server, showing the opposite, for all intents and purposes, is not.

Even my honeypots get blown away and rebuilt rather than cleaned. Worries aside, rebuilds are just easier to do, especially if you use something like Ansible and have proper backups.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!