Hi there, I was hoping if someone could help guide me through restoring my web server on a new instance. Essentially one of the sites hosted on the host was compromised. The site was using Laravel running PHP 7.3. Our host initially sent notifications about a phishing site last Friday but they were missed. One of the questions I had was if the attacker possibly exfiltrated any data. I figured the way ISPconfig deploys things by default probably has some safeguards. I've checked the backups of all other sites hosted on the same machine and found no evidence of those sites being compromised. All that being said, how should I go about redeploying the sites on a new host from backup? EDIT: Also, If I could get everyone's opinion, do you think it is even necessary to even redeploy to a new host? I've found no proof of compromise on the other sites so I figured the attacker probably did not move laterally. Thank you, I appreciate all the help!
There is no need to redeploy to a new host if a site was compromised. Each site runs under its own Linux user in ISPConfig, so they are separated on the user level, and an attacker can not alter files of another website. Just shut down that one site temporarily, clean the files, or restore a clean backup and start it again.
Hey Till, Thanks for confirming! I also saw no signs of lateral movement in syslogs etc We're planning to disable the site to remove the files and will bring it back online if needed.
You can try to scan the site or the full /var/www/ with ISPProtect. https://ispprotect.com/ The first scan is free and no registration required for that.
