Brutalized VPS recovery data now available. Considerations?

I'll start with what to do with your current system:

  1. Get in and make a backup of everything.
  2. Unless you can demonstrate major losses ($10k+), I wouldn't even begin to think about involving law enforcement. They have their hands full, and given the current patterns on the internet, it's highly likely that your culprit is in a different country than you are. Nobody is going to do an extradition process for hacked Wordpress sites. (Sorry, I know it's hard to hear, but it's the reality.)
  3. Burn the current server to the ground.
  4. Consider every password on your old server compromised.

Now, how do you build a new server to avoid this happening again? I'm going to make a few assumptions based on what you wrote in your post:

  • Multiple Wordpress installs.
  • mod_php on Apache
  • CPanel/WHM

Here's a few recommendations:

  1. Get your new server.
  2. Do a fresh installation of your applications, and setup strong passwords/credentials that have nothing to do with your old ones.
  3. Configure SELinux to limit the exposure of each site as much as possible.
  4. Be careful what wordpress plugins you install. They have a much worse security track record than wordpress core.
  5. Ensure that directories that are writable by the webserver are never interpreting files as PHP.
  6. Use 2-factor authentication for everything you can.
    • CPanel
    • SSH

Without being able to do digital forensics on your system, it's hard to know for sure, but I'm going to go out on a limb and guess what happened:

  1. Attacker runs scanner looking for vulnerable Wordpress installs.
  2. Attacker finds vulnerable Wordpress on your server. Gets RCE as webserver.
  3. Dumps password hashes for wordpress databases.
  4. Cracks password hashes, one of them matches a WHM/CPanel password.
  5. Gets into CPanel. Maybe as an admin, or maybe the version of CPanel had a bug that allows privilege escalation to admin.

You talk about fear of retaliation and the attacker coming after you again and again. Unless this is personal (a vendetta of some sort), I wouldn't worry about that. Attackers like this will just move on to their next compromised host. Just don't give them another chance.


David's answer gave some excellent recommendations (which I highly recommend you follow). I will focus my answer instead on your specific fears in hope to alleviate them.

What I wish to accomplish is to acquire as much information about the hacker as possible. I want to download my legacy backups. I want to get in and out as soon as possible.

You say you want to get as much information about this person as possible. This may not be practical if they used any form of anonymity. Post-break in analysis is still important, of course. The first step would be to do a complete backup of the disk. If you have not already shut the system down since it was compromised, you may also be able to take a snapshot of the memory on the system, making it possible to do later forensic analysis on it. Memory will contain far more information about the attacker as they cannot reliably control what stays in memory, whereas it is very easy to prevent valuable information from being saved to persistent storage. Because of this, it's likely that you will not be able to obtain the disabled logs unless they already existed and were subsequently deleted.

My precautions are to stay behind a killswitched vpn and spend as little time there as possible.

There are a number of methods hackers can use to get the original IP behind a VPN, due to the architecture of VPNs. Using Tor or a similar anonymity network would be preferable. Spending as little time as possible may not be advisable as you may miss something important. Staying on a little bit longer does not increase the chance that you are detected. The hacker may even think you are another hacker who has broke in using the same vulnerability. If they notice you, chances are regardless of who they think you are, they'll simply disconnect you from the server.

The server-side SSH logs among others likely contain your home address anyway.

Is there any way to somehow recover these disabled logs? What else should I be looking at if the goal is to compile enough data to turn this guy into the authorities?

If the logs were disabled, you likely cannot retrieve them. If they were still written but merely deleted, you may be able to recover them from unallocated filesystem space. Unless the system has not shut down since the compromise and you are able to take a full snapshot of the system's memory, it is unlikely that you will be able to retrieve the information that was given in the logs.

As David already mentioned, you will not likely get much from involving law enforcement. The best you can get from obtaining this information is knowing more about how the hacker broke in, making it possible for you to close the hole they exploited and avoid it in the future.

My fear is that, even with a re-imaged server and all the hardening I'm capable of, this guy knows my site domains and will likely attack again. I suppose this should be a separate question, but should I prepare myself for having to altogether give up my domains due to his skill level? Id hate to do it, but I fear he will do all he can to wreck the server and sites again, then proceed as before to destroying my home network and all devices.

Honestly, you don't have to worry about retaliation. You are just random collateral to their activities, not a carefully selected victim. They likely won't even remember your domain in a week. Of course these are generalizations, and if you have an actual enemy with a personal vendetta against you, things are a little different. There are a few possible classifications that may fit your attacker:

  • Curious - A hacker who breaks into a site because they are curious or want to improve their hacking skills will do so often with little regard for the results of their actions, but they are not out to get you. If you lock them out, they may want to find a way to get back in, but they will likely not be angry. They could even see it as a challenge.

  • Criminal - A purely criminal hacker has something to gain by attacking servers, such as money or digital resources. They won't waste time with revenge. These attackers are like water. They seek the path of least resistance.

  • Automated - It is very possible that no person attacked your site. A criminal enterprise wants to maximize profits, so to be more efficient, they often automate attacks. A script may scan the internet for vulnerable services and attack them. After breaking in, it will do their dirty work and attempt to establish persistence. You cannot make a script angry.

  • Script kiddie - A script kiddie is a junior hacker who thinks they know everything. They are more likely to seek revenge because they may take the act of you recovering your server as personal. They do not have the necessary skills to do any real harm to your home network. The worst they can do is attempt to DDoS you. Don't worry about them.

  • Personal enemy - If you have an actual enemy with a personal vendetta against you, you have more to worry about. Since you gave no indication that this is the case, I'll assume it isn't.

The chances are his skill levels are not as high as you think. Breaking into a Wordpress site and adding a backdoor does not take a professional. As such, I would not worry about getting rid of your domains. It is absolutely possible to protect from this hacker using the advice given in another answer. As soon as someone else's site is more vulnerable than yours, a hacker moves on.


In this case you don't know how the attacker was able to enter, so you are right to be concerned that the exact same thing will happen again even if you do a complete reinstall. To deal with this problem, you should configure your system for remote logging. A dedicated separate computer saves system logs which cannot be tampered with. You should configure your web server access log to send a real time copy over to the logging server as well as anything security related, in addition to the regular system log. The logs should be separate so that if one gets too big and needs to be trimmed down that it won't affect the others.

You don't know how they got in. Your own computer could be compromised and the password could have been intercepted. Someone at the VPS provider could have accessed it, or someone renting another VPS along side yours could have exploited something. Assuming that those things didn't happen, the next step may be to ensure that everything vulnerable is updated on the new install, and then configure security software such as SELinux. Be sure SELinux policy violations are sent to the remote logging server.