My enterprise recently suffered a server breach and we're now trying to clean up. I've noticed more traffic than usual coming from the server and have heard about hackers leaving behind tools called "booter shells" after attacks to be used for future DDoS attacks. How can I tell if booter shells are infecting this server? How can I clean them off if they're on the server?
Ask the expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Depending on the details of a breach, the risk involved with trying to clean-up a compromised server is very high as remnants from the breach can still remain, including the aforementioned booter shells, rootkits, malicious cron jobs, start-up scripts, compromised files, etc. Often, desktop systems are cleaned rather than rebuilt due to a fear of overwhelming desktop support with the task of rebuilding workstations. Server administrators share the same concerns. They might try to clean all traces of an attack from a server, but the consequences of not cleaning a server fully might be more significant than not cleaning a desktop.
If a file integrity monitor like Tripwire or OSSEC was being used prior to an incident, a system admin can discern which files were modified during the incident. This could allow the admin to be able to effectively clean a server using the data from the file integrity monitor. Booter shells can also be detected by monitoring network traffic for a high volume of traffic to a specific site. If booter shells and other remnants of an attack aren't fully cleaned from a server, it could still be used to attack other systems on the local network or Internet. Fully cleaning and securing a compromised server is vital to an organization's future security.
Dig deeper on Denial of Service (DoS) Attack Prevention-Detection and Analysis
Related Q&A from Nick Lewis, Enterprise Threats
A new variant of Java-based malware can execute regardless of the operating system used. Nick Lewis explains how to limit the threat.continue reading
A variant of malware on Android devices removes and reinstalls itself when a device powers on or off. Learn how to completely eradicate the threat.continue reading
Expert Nick Lewis explains how to avoid a detrimental VPN bypass flaw that allows malicious apps to infiltrate Android devices.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.