In today’s complex web security environment, identifying a hack attempt is probably the biggest challenge one faces as hackers adopt intricate masking and trail-cleaning techniques. Everyday at ResellerClub, our support team comes across several seemingly innocuous issues that could appear to be fixed by minor tweaks or suggestions – but are actually traces of an attempted hack. We take security very seriously and our staff are regularly trained to stay abreast of developments that could help identify any suspicious incidences that could help our resellers stay secure online. Here is one instance where our Support Executive Ashly Mathew helped a reseller identify a hack attempt and plug the vulnerability on his Dedicated Server.
Our Support Executive:
Ashly Mathew has been with ResellerClub since early this year. She is a part of the Hosting has Product Support team and has prior expertise in this domain. In the relatively short span with ResellerClub she has proved very good at absorbing the scope of issues and tackling them efficiently.
Our Reseller, Anand witnessed abnormally high levels of packet loss leading to network outages on his Dedicated Server.
Suspecting a hack, Ashly traced the cause to a suspicious SSH process that had opened a TCP connection to an external IP. However dropping connections to the server only led to more new SSH processes getting created.
Ashly first ran a check of all the SSH processes and the server seemed to work fine, the performance logs indicated that there were no processing or networking spikes that were unnatural, but incidences of high packet loss sprung up erratically.
On further investigation, Ashly located some suspicious SSH processes due to which a TCP connection had been established with an external IP address and this led to network outages. It was fortunate that the server was not yet being actively used for a live application and there was no sensitive data that could have been exposed due to these processes.
When Ashly killed the suspicious processes that she had identified, there were more new ones getting created which led her to locate some infected files that had been inserted to create this backdoor. This was clearly a case of root level attack.
Ashly immediately deployed a system wide malware, spyware and virus scan apart from activating CSF (ConfigServerFirewall) with LFD (Login Failure Daemon) to help guard against Brute-force attacks. The Antivirus scan detected the infected files and these were removed post which the server and network performance appeared to be stable. The hacker had covered his tracks very well though as the exact source of infection was untraceable – but this incident highlighted the importance of being alert and Ashly certainly displayed this trait as we helped Anand locate and plug this security issue.
Delighted and relieved at having overcome a potentially major issue without much impact, this is what Mr. Anand had to say in appreciation of Ashly’s assistance – “I see that most of the issues have now been cleared 🙂 … Thank you for the same!”