My enterprise recently suffered a server breach and we're now trying to clean up. I've noticed more traffic than...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
usual coming from the server and have heard about hackers leaving behind tools called "booter shells" after attacks to be used for future DDoS attacks. How can I tell if booter shells are infecting this server? How can I clean them off if they're on the server?
Ask the expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Depending on the details of a breach, the risk involved with trying to clean-up a compromised server is very high as remnants from the breach can still remain, including the aforementioned booter shells, rootkits, malicious cron jobs, start-up scripts, compromised files, etc. Often, desktop systems are cleaned rather than rebuilt due to a fear of overwhelming desktop support with the task of rebuilding workstations. Server administrators share the same concerns. They might try to clean all traces of an attack from a server, but the consequences of not cleaning a server fully might be more significant than not cleaning a desktop.
If a file integrity monitor like Tripwire or OSSEC was being used prior to an incident, a system admin can discern which files were modified during the incident. This could allow the admin to be able to effectively clean a server using the data from the file integrity monitor. Booter shells can also be detected by monitoring network traffic for a high volume of traffic to a specific site. If booter shells and other remnants of an attack aren't fully cleaned from a server, it could still be used to attack other systems on the local network or Internet. Fully cleaning and securing a compromised server is vital to an organization's future security.
Dig Deeper on DDoS attack detection and prevention
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.