What to do if my server has been hacked?

Few terms are as present in the news, provoke as much discomfort, and yet fail to elicit suitable reactions as much as hacking and being hacked. Hacking sounds dangerous, but it probably won’t happen to me. Because hacking, whatever it actually is, only happens to those who are worth targeting, like political parties or politicians, for example. And probably, there isn’t much one can do when these digital attacks suddenly strike from abroad.

It’s time to dispel the myths surrounding hacking and forge a clear roadmap. Whether for individuals, businesses, or authorities, it is dangerous to leave the door wide open in the digital world when leaving the house.

1. How can I tell if my server has been hacked?

Every appropriate response or prevention starts with knowing that an incident has occurred. In order to be able to notice that a hacker attack has occurred, it’s important to be aware that the attack may not always be immediately obvious or clearly recognizable. Noticing requires a basic understanding and a sensitivity to warning signals.

1.1 Basic Understanding

Since the 1970s, hacking has been understood as overcoming security barriers, increasingly with the goal of infiltrating digital systems. This activity is not only considered in a negative sense. Hacking with the goal to identify security flaws, for example through organizations like the Chaos Computer Club, may be seen positively. Hacking therefore does not imply a specific hostile or friendly intention. As no particular methods are required, the known techniques are already countless (e.g., cross-site scripting or SQL injection). Finally, the consequences are also manifold. For example, data, software, accounts, or entire IT systems can be affected in various ways. The complexity and societal significance of cybersecurity in Germany are best illustrated by referring to reports from the BSI (Federal Office for Information Security), Bitkom press releases, or the Allianz Risk Barometer.

1. 2 Warning Signals for a Hacked Server

Highest vigilance and caution are required. Every suspicion and irregularity should be investigated. Quick action is necessary. The following anomalies should be considered as warning signals for a hacked server:

• Unusual server traffic
• Unusual login attempts and registration activities
• Unusual system performance and slow response times
• Changed or unknown files on the server
• Unusual changes to databases or other stored data
• Messages or notifications from third parties

Each of these warning signals allows to identify specific incidents (for preventive measures, see section 4). In larger organizations, methods to check these signals should be integrated in a larger prevention plan. This plan should be regularly reviewed and updated. It is essential to determine reactions in case the signals show any abnormality to ensure operational readiness, even if just a few individuals feel uneasy.

2. How do I respond if my server has been hacked?

If your server has been hacked, it is important to act quickly and thoughtfully, of course. However, it is also crucial to remain calm and first analyze the situation. Whether and what kind of damage occurs largely depends on the appropriateness of your reaction. Nevertheless, you should start the subsequent actions even before doubts that your server has been hacked are fully dispelled. Additionally, legal (reporting) obligations must be fulfilled, some within a few days, and immediate and transparent external communication is advisable.

2.1 Internal Measures

The following list outlines general steps to take. The common goal of the measures is to identify the exact extent of the hack, cut off an ongoing hacker’s access to your server, and minimize the consequences of the hack. It is crucial to adjust your response based on the specific situation and possibly prioritize actions. Support from an IT expert is absolutely necessary. Points of contact and direct communication channels should be defined in advance.

These measures can help to end the hacker’s access to your server:

1. Disconnect the server from the network (unplug network cables or deactivate network connections) to prevent the hacker from causing further damage.
2. Reset passwords and means of any multi-factor authentication (devices and applications).

These measures can help to reduce the effects of the attack:

1. Review the access and error logs to gather information on the IP addresses that accessed the server and about the actions that have been taken from these IP addresses.
2. Use reliable tools to check the server for malware or other malicious software. A manual investigation can identify backdoor programs that might not be easy to identify.
3. Conduct a detailed forensic investigation to understand how the hacker infiltrated the system and which systems and data may have been affected.
4. If necessary, completely reinstall the server to ensure no backdoor programs or other malicious code remain. Ideally, you can restore your data from a clean, uncompromised backup.

2.2 Legal Obligations

In addition to internal measures, you may be subject to legal (reporting) obligations. The following obligations are listed abstractly and as examples. Specific obligations can only be determined through an individual assessment. Regarding the assessment, support from an internal legal department or external legal advice is essential.

• Data Breach: According to Article 33 of the GDPR, you are generally required to document and report a data breach to the relevant supervisory authority within 72 hours if personal data is affected, such as by deletion, modification, or transmission. Nevertheless, there is no reporting obligation if the breach is unlikely to result in any risk to the rights and freedoms of natural persons. The risk assessment is further explained in the guidelines of the European Data Protection Board.
• Critical Infrastructure: Under Section 8b, paragraph 4 of the BSI Act (in its current version), operators of critical infrastructure must report significant disruptions to information technology systems that affect the functionality of critical infrastructure to the Federal Office for Information Security (BSI).
• Information Society Services: Under Section 8c, paragraph 3 of the BSI Act (in its current version), information society services must report any security incidents with significant impacts to the BSI. In the BSI’s FAQ on the regulation of information society services, this reporting obligation is explained in more detail.
• Payment Service Providers: Under Section 53, paragraph 2 of the Payment Services Supervision Act, a payment service provider must submit an annual assessment of operational and security-related risks associated with the payment services you provide. The Federal Financial Supervisory Authority has provided a template for this assessment.

Additionally, you may file a criminal complaint, which may initiate a criminal investigation. These Cybercrime Contact Points offer support in this regard.

2.3 Further External Communication

Finally and independently of legal obligations, appropriate external communication is advisable. Especially if accounts or data from customers or other business partners are directly affected by an attack, immediate and transparent information on the attack and your measures will help to build trust. Regarding the number of hacker attacks occurring, it is not the fact that you have been hacked that affects your reputation. How you and your IT security are perceived in this case rather depends on how you manage and communicate the situation. A clear communication strategy is required.

3. Digression: Further Aspects if an Account has been Hacked

The previous descriptions refer to a hacked server. Warning signals and measures may differ, though, if the hacking has impaired a personal account, such as an email account, without affecting the entire IT system. Warning signals for a hacked account may include registrations from unknown devices, changes of access data or unusual activities within the account, such as sent emails that you don’t know. The key question for an appropriate response is whether you can still access your account. If access is still possible, it is especially important to reset the passwords. For further responses, refer to the publication from the Federal Office for Information Security.

4. How can I prevent my server from being hacked?

Absolute protection against hacker attacks does not exist. However, to minimize the chances of success for these attacks, you should not only be aware of warning signals and respond appropriately in the event of an attack but also carry out regular prevention measures. It is important to adapt the following suggestions to your specific situation and design your own infrastructure.

• Use robust security solutions like firewalls and intrusion detection systems to detect and block unauthorized access early.
• Perform regular software updates to close known security gaps.
• Conduct regular security checks and penetration tests to identify potential vulnerabilities in your system before a hacker can exploit them.
• Provide training so that your employees can recognize warning signals and take appropriate actions.
• Set up security alerts to foster security competence and awareness at critical points.
• Grant access to the server only to necessary users and processes.
• Perform regular backups to ensure the highest possible data security.

Digression: There are also specific measures for preventing hacker attacks on accounts, which are covered in a publication from the Federal Office for Information Security.