In regards to this subject I am a professional. Original Big Three.

If ASPD where my client I would have simply done to following if true backups existed: (by 'true' I mean valid data that is NOT compromised)


1. I would have the board software vendor on the phone and decide upon the best most up to date board version that supports my existing backups.

2. I would discuss with board software vendor which Operating Systems are available for my chosen platform which again support my existing backups. I would also discuss HTTP server change.

3. If at all possible, I would change the OS, perhaps even platform if money is not an issue. Quite simple: Completely re-image existing hacked server. Examples: Change Linux vendor versions. Buy a nice little Sun or IBM pizza box.

4. With fresh OS installed, I would have next installed latest board software. Perform all required processes and change management updates.

5. Restore databases. Done.

The point of the above is that IF the backups are valid, there is no need to mess around with a compromised OS. Wipe the OS, install new board software, update board, perform restore, done.

I realize with #4 if no change management processes existed, there could be A LOT of work before a restore could take place.


Why # 3?
Because, if truly hacked by those suspected, they are waiting and WILL RETURN.
Platform and OS change will allow at least some time to monitor site activity.
Come back up with the same OS that was hacked..... forget it.
Come back up with a freshly installed OS, but not an upgraded or different version.... forget it, unless patching and updates where not being practiced, the hackers will know exactly where to hit next.

Since the site runs an Apache HTTP server based upon a RedHat Linux platform, if the OS is not completely re-installed, it is just gonna be a time bomb.
Not a fault of RedHat, but a fault of running ten year old board software.