This has been covered elsewhere (like on serverfault: http://serverfault.com/a/107346/2557 )But it comes down to:- Take existing server down immediately. I’m assuming it is not on an isolated network — so this should really be a priority.- Prep a new patched server (with a smaller attack surface and updated security credentials)- Postmortem the old box on an isolated network. Try to understand how the attacker got in. If necessary, get security professionals involved.
Do you have a way to reply to the person? I don’t see any harm in thanking them and asking for more details.But in the meantime I’d have to assume everything is compromised: save a copy or an image of the server for analysis, but take it offline and build a new one. Rotate all passwords and credentials. Assuming you’re not doing something strange with SSH, they probably got legitimate
Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/Iq8xmFWLhTs/item