VPS Recovery: Data After a Brutal Attack

TL;DR

Your VPS was attacked and data is now available. This guide helps you safely recover it, check for compromise, and harden your system to prevent future attacks.

1. Initial Assessment & Data Integrity

1. Verify Data Source: Confirm the source providing the data is legitimate (your backup provider, a trusted recovery service). Do not trust data from unknown sources.
2. Checksum Verification: If backups provided checksums (like MD5 or SHA256), verify them *before* restoring anything. This confirms the data hasn’t been tampered with during transfer.

   md5sum your_backup_file.tar.gz

3. Quarantine: Before connecting restored data to any network, isolate it on a separate, clean system or virtual machine. This prevents potential malware spread.

2. Restore the Data

1. Choose a Clean Environment: Use a fresh VPS instance (or rebuild your existing one) to restore the data. Avoid restoring directly onto the compromised system if possible.
2. Restore Process: Follow your backup provider’s instructions for restoration. Common methods include:
   • Tarballs: Extract the archive.

     tar -xzf your_backup_file.tar.gz

   • Database Dumps: Import the database dump using the appropriate tool (e.g., mysql command-line client).

     mysql -u your_user -p your_database < your_backup_file.sql

   • Snapshots: Restore from a snapshot if available.
3. Verify Restoration: After restoration, confirm essential files and databases are present and accessible. Test basic functionality (e.g., website loading, database connections).

3. Security Scan & Compromise Detection

1. Malware Scan: Run a thorough malware scan using tools like ClamAV or rkhunter.

   clamscan -r /var/www

2. Rootkit Check: Use rkhunter to detect potential rootkits.

   rkhunter --checkall

3. Log Analysis: Examine system logs (/var/log/auth.log, /var/log/syslog, application logs) for suspicious activity around the time of the attack.
   • Look for failed login attempts, unusual processes, and unexpected file modifications.
4. Process Monitoring: Check running processes for anything unfamiliar or consuming excessive resources using top or htop.
5. File Integrity Monitoring (FIM): If you had FIM enabled before the attack, review its logs to identify changed files. Tools like AIDE can help.

4. Password Reset & Key Rotation

1. All Passwords: Change *all* passwords associated with the VPS:
   • Root password
   • User accounts
   • Database credentials
   • SSH keys (revoke old keys and generate new ones)
2. API Keys: Revoke and regenerate any API keys used by the VPS.

5. System Hardening

1. Update Software: Apply all available security updates to your operating system and installed software.

   apt update && apt upgrade -y

2. Firewall Configuration: Ensure a firewall (like UFW or iptables) is enabled and configured to allow only necessary traffic.
3. SSH Hardening:
   • Disable password authentication for SSH.
   • Change the default SSH port.
   • Use key-based authentication.
   • Limit SSH access to specific IP addresses if possible.
4. Two-Factor Authentication (2FA): Implement 2FA for all accounts where available, especially root and administrative accounts.
5. Regular Backups: Automate regular backups of your data and store them securely offsite.

6. Ongoing Monitoring

Implement ongoing cyber security monitoring to detect future attacks early. Consider using intrusion detection systems (IDS) or log management services.