My enterprise recently suffered a server breach and we're now trying to clean up. I've noticed more traffic than...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
usual coming from the server and have heard about hackers leaving behind tools called "booter shells" after attacks to be used for future DDoS attacks. How can I tell if booter shells are infecting this server? How can I clean them off if they're on the server?
Ask the expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Depending on the details of a breach, the risk involved with trying to clean-up a compromised server is very high as remnants from the breach can still remain, including the aforementioned booter shells, rootkits, malicious cron jobs, start-up scripts, compromised files, etc. Often, desktop systems are cleaned rather than rebuilt due to a fear of overwhelming desktop support with the task of rebuilding workstations. Server administrators share the same concerns. They might try to clean all traces of an attack from a server, but the consequences of not cleaning a server fully might be more significant than not cleaning a desktop.
If a file integrity monitor like Tripwire or OSSEC was being used prior to an incident, a system admin can discern which files were modified during the incident. This could allow the admin to be able to effectively clean a server using the data from the file integrity monitor. Booter shells can also be detected by monitoring network traffic for a high volume of traffic to a specific site. If booter shells and other remnants of an attack aren't fully cleaned from a server, it could still be used to attack other systems on the local network or Internet. Fully cleaning and securing a compromised server is vital to an organization's future security.
Dig Deeper on Denial of Service (DoS) Attack Prevention-Detection and Analysis
Related Q&A from Nick Lewis
The BENIGNCERTAIN exploit affects certain versions of Cisco systems using the IKEv1 protocol. Expert Nick Lewis explains what the protocol does and ...continue reading
Enterprises with open FTP servers are being targeted by Miner-C malware for crypto coin mining activities. Expert Nick Lewis explains how enterprises...continue reading
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.