If you ever become a victim of these hackers, take note of this posting.
DO NOT PANIC
Here is some advice from my own experience.
1. NEVER restart the server until you completely backup all available data in the server. Backup your data to an off-site computer. Restarting your server could activate a cron job which could completely wipe all the data.
2. The hacker probably does not have your root password so they do not know what is in your files and the directories structure in the server. They could only compromise the base system you have or whatever information which is publicly available, for example, if you use CPanel , DirectAdmin , OS, etc. all this information is publicly known so they can insert the code into your system and destroy data in the structure that belongs to your system. Anti-virus scans do not detect code injections, also there may be a time delay between code injection and their activation -- in my case probably the 1st of July.
3. Change all your passwords.
4. Contact your service provider and notify them of the problem or if you are competent to do so - check your cron tab in the /etc/cron.d and remove whatever you found in there. Run chkrootkit command to find if any rootkits are embedded somewhere.
5. Completely rebuild the OS on the server to the latest version (by service provider).
6. Restore your website from a previous off-site backup. (Now is a good time to make an off-site backup!!)
7. I think I'm okay -- but there may still be some undetected code lurking around.
Pingback:
Internet as an ecosystem - Merlinnz Blog