Questions about malware and compromised or hacked servers

Question

This is not really a question but more of a request.

I've noticed a few questions about compromised servers running malware (usually cryptocurrency miners) but also other things.

When answering questions like this, I personally believe that it is our responsibility to to point the user to the answers to the "How do I deal with a compromised server?"-question over at ServerFault.

It may be interesting to figure out what the malware is, or what commands a hacker typed in, or any number of similar interesting things, but at the same time, we are dealing with a victim of an ongoing crime, and they should get the best possible help from us that we can give. That help should at least include linking to the ServerFault question that I linked to above (unless you're a security expert that can write a better answer than Rob Moir's top answer).

We can not assume that the person asking is an hobbyist who just happens to run Linux on his home computer and that the potential fallout is negligible. It may be that they are at a company whose servers just got hacked, or that their home-office machine is being used as a jump host to access others.

I tried to answer "How can I kill minerd malware on an AWS EC2 instance? (compromised server)" to the best of my ability a little while back (and "Need help understanding suspicious SSH commands" today), while also noting that as an admin or user of a compromised server, one may be legally obliged to report incidents within a certain time-frame (depending on where in the world one operates). This is, I believe, not covered by the SeverFault answers.

I'm not a security expert, and odds are that you aren't one either. Read the ServerFault question and the top answers and help users who finds themselves with these kinds of security issues by alerting them to the potential severity and to the advice in the answers (by linking to the question ideally, not by retelling).

I know that I can't tell people how to answer questions here, but I just thought I'd mention this anyway.

Answer 1

As some have pointed out in comments, it may be a good idea to write a canonical Q/A on the topic of "I have been hacked, what do I do?" (or similar) that is specific to U&L (in the same manner as e.g. Gilles' Kali Linux Q/A or any of Stéphane's many questions). To be honest I didn't actually think about this as I thought that the ServerFault Q/A seemed to cover the topic nicely, but I do think it would have some merits:

• We could close questions as duplicates of this new Q/A. Not that we get many of these types of questions, but we've had a handful over the last six months, as far as I have seen.
• It could be specific to the most commonly used Unix variants, and/or to common situation (e.g. cloud-hosted VM).
• It would be easier for us to keep it up to date.

The problem is that I'm unqualified to write such an answer (I could probably write the question though).

I wonder if we have anyone here that feel up to the task to write an answer (possibly as a community wiki answer) that would cover most of the aspects of responding to a user that has had a machine compromised or noticed that a machine that they are using are doing highly unusual things, taking into account that we most likely have Unix users of quite varied types (ranging from hobbyists and students to professionals and professional system administrators)?

Rob Moir (who wrote the most upvoted answer at ServerFault) seems at least somewhat interested, and I would welcome input from him and anybody else who thinks this may be a good idea (or not a good idea, as the case may be).