Have you ever been in a bind where your server was hacked andd you didnt realize it till a couple days later. When you tried to get the older backups, you just got a backup of a hacked copy?

Well, what do you do in these types of situations?

If you don't have a backup then you just piece it together as best you can. Not much you can do.

It's a good idea to use some kind of program to track your sites to make sure they're not changed. I use Servers Alive to monitor all my sites uptime, but it will also do checks against strings of text on a web page. It could be used to check to see if the site had been changed.

I get emails and SMS messages to my cell phone, but it has a ton of other features too. Check it out http://www.woodstone.nu/salive/

First, I would re-evaluate my back up procedures.

Second, I would re-evaluate my server hardening.

I've had some script kiddies use holes in programs like PHPNuke and phpBB2 to get a shell script on my server. From there they started putting stuff in places to get back in should I find it. I was worried at first, but turns out my provider had taken some pretty amazing steps to protect my server.

One was to jail my /tmp directory and move it outside the primary server. I'm on a VPS, so this is possible. Guess what, they had scripts set to run DoS attacks on other sites, but they didn't work. :-)

Quote:

Originally Posted by beley

If you don't have a backup then you just piece it together as best you can. Not much you can do.

It's a good idea to use some kind of program to track your sites to make sure they're not changed. I use Servers Alive to monitor all my sites uptime, but it will also do checks against strings of text on a web page. It could be used to check to see if the site had been changed.

I get emails and SMS messages to my cell phone, but it has a ton of other features too. Check it out http://www.woodstone.nu/salive/

Nice info! Thanks for the link. I've been looking for something like this... :thumbup:

i've had this happen, once at a company i worked for and once on my own site. Luckily, on my own site, I had just started doing hourly archived backups the night before. It would've been 2 years of user generated content down the tubes, although my isp probably could've done a recover as well, but I don't like relying on 3rd party for backups.

In the company's case, we actually rebuilt the pages from google cache and webarchive.org...it wasn't perfect, but it got us some of our content back.

I run a script hourly which compares a known hash against each critical files' new hash.

If any of the hashes do not match I get an text message on my cell. I can respond to recover which over-writes the non-matching file with a known safe copy, update which updates the hash db with the new db, and of course ignore which does nothing for an hour.

I once had a hacker exploit a script on my site, upload a web-based ftp manager, and change all the ads to his own.

Quote:

Originally Posted by Libertate

I run a script hourly which compares a known hash against each critical files' new hash.

If any of the hashes do not match I get an text message on my cell. I can respond to recover which over-writes the non-matching file with a known safe copy, update which updates the hash db with the new db, and of course ignore which does nothing for an hour.

That is a great idea.