Hi there. Got server hacked. I had a server management company doing security stuff, but they still got in by using the /tmp directory. This was the one place we hadn't locked right down because I thought that there would be issues with the way Cpanel uses /tmp. Anyway, it's happened and I need to deal with it. Couple of questions for those in the know....

1. With 100 sites (and a second HD for the backups BTW) what it the best way to do a OS reinstall and put back all the sites? I'm wanting to know about /home, DNS, any WHM settings, users etc etc

2. Not everyone has an off-site backup of the data so we can't do a 100% clean install and will have to restore some of the files that are on the machine now within /home. This obviously means that within the /home directory there *could* be some files that shouldn't be there. Is there any way to find them?

Thanks in advance

John

This is a pretty good guide
http://forums.ev1servers.net/showthread.ph...&threadid=38797

Make sure and run chkrootkit as soon as its started and to remove any possible things. Since your only moving the home directory and clients do not have shell access (right??) even if there is a bad file its not horrible because they could always upload it again..

I am sure you have seen some of the how-to's on securing the /tmp partition. Its a very good idea to do this and will help prevent further break ins.

Now if only ev1 could setup the default image with a seperate tmp partition...

Thanks for this. However, wouldn't this potentiall pull any potentially compromised files over and also if they had hacked the server wouldn't they also have the passwords etc to access the sites via FTP which will need to be changed?