My enterprise recently suffered a server breach and we're now trying to clean up. I've noticed more traffic than...
usual coming from the server and have heard about hackers leaving behind tools called "booter shells" after attacks to be used for future DDoS attacks. How can I tell if booter shells are infecting this server? How can I clean them off if they're on the server?
Ask the expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Depending on the details of a breach, the risk involved with trying to clean-up a compromised server is very high as remnants from the breach can still remain, including the aforementioned booter shells, rootkits, malicious cron jobs, start-up scripts, compromised files, etc. Often, desktop systems are cleaned rather than rebuilt due to a fear of overwhelming desktop support with the task of rebuilding workstations. Server administrators share the same concerns. They might try to clean all traces of an attack from a server, but the consequences of not cleaning a server fully might be more significant than not cleaning a desktop.
If a file integrity monitor like Tripwire or OSSEC was being used prior to an incident, a system admin can discern which files were modified during the incident. This could allow the admin to be able to effectively clean a server using the data from the file integrity monitor. Booter shells can also be detected by monitoring network traffic for a high volume of traffic to a specific site. If booter shells and other remnants of an attack aren't fully cleaned from a server, it could still be used to attack other systems on the local network or Internet. Fully cleaning and securing a compromised server is vital to an organization's future security.
Dig Deeper on Denial of Service (DoS) Attack Prevention-Detection and Analysis
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.