Should I report the compromise if I've already cleaned up and secured the server?

Yes, absolutely. Reporting after cleanup is still valuable. The attacker's infrastructure (their source IP, C2 servers, mining pools) is likely still active and targeting other victims. Your report helps the attacker's ISP take action and contributes to the broader threat intelligence picture. Include the timeline showing when the compromise occurred, when you discovered it, and when you remediated it.

My server was used to attack others — am I liable?

In most jurisdictions, you are not held liable for attacks launched from your server if you were a victim yourself and responded reasonably. However, negligence in securing your server (running years-old unpatched software, using default credentials) could theoretically be a factor in civil liability. Document your response efforts thoroughly, report promptly, and take demonstrable steps to prevent recurrence.

Should I shut down the server immediately or leave it running to collect evidence?

This depends on the severity. If the server is actively attacking others (sending spam, participating in DDoS, scanning networks), isolate it immediately — you can capture a disk image and memory dump for forensics afterward. If the compromise appears dormant or you caught it early, briefly leaving it running while you collect volatile evidence (running processes, network connections, memory contents) can provide valuable forensic data. The priority is always stopping ongoing harm to others.

What if the attacker's IP is behind a VPN or proxy?

Many attackers route through VPNs, proxies, or Tor exit nodes to obscure their real IP. Report the IP you see in your logs regardless — VPN and proxy providers still have abuse processes and can suspend accounts. If you identify multiple attacker IPs, include all of them. Sometimes the attacker makes mistakes and connects from their real IP at some point during the compromise, so check your logs thoroughly across the entire compromise window.

Do I need to report a server compromise to data protection authorities?

If the compromised server stored personal data of EU residents, GDPR requires notification to your supervisory authority within 72 hours of becoming aware of the breach. Similar requirements exist under CCPA, HIPAA, and other regulations depending on the data involved and your jurisdiction. This is separate from the ISP abuse report — consult legal counsel to determine your regulatory obligations based on what data was accessible on the compromised server.

How do I preserve evidence without tampering with it?

The gold standard is creating a bit-for-bit forensic disk image before touching anything, using tools like `dd` or `dc3dd`. If that is not possible, capture volatile data first (running processes, network connections, memory dump), then copy log files to external storage. Document every action you take with timestamps. Avoid running antivirus or cleanup tools before evidence collection, as they modify file timestamps and delete artifacts that investigators need.

Can my hosting provider help with the forensic investigation?

Many hosting providers offer some level of incident response assistance, especially managed hosting and enterprise cloud providers. They may have access to network flow data, firewall logs, and hypervisor-level information that you cannot see from within your server. Contact their security or abuse team as soon as you discover the compromise and ask what support they can provide. Some providers also partner with incident response firms and can facilitate introductions.

How to Report a Hacked Server: Filing Abuse Reports After a Compromise

A compromised server rarely sits idle. Within minutes of gaining access, attackers deploy web shells, install cryptocurrency miners, pivot to internal networks, or use your server as a launchpad for phishing campaigns and brute-force attacks against other targets. Your hacked server becomes someone else's problem too.

After you contain the breach — isolating the server, killing malicious processes, and beginning recovery — there's a critical step that many administrators skip: reporting. Filing abuse reports with your hosting provider and the attacker's ISP helps shut down the infrastructure behind the compromise, protects other potential victims, and creates an official record that may matter if the breach escalates to a legal or regulatory issue.

This guide walks through the entire post-compromise reporting process, from evidence collection to filing reports with the right parties. It's part of my complete guide to reporting IP abuse, focused specifically on server compromise scenarios.

How to Identify a Server Compromise

Sometimes the signs are obvious — a defaced homepage or a flood of customer complaints about spam originating from your domain. Other times, the indicators are subtle and only surface when you actively look. Here are the key things to check.

Unexpected processes

Look for processes you don't recognize, especially those running as root or under web server user accounts:

ps aux --sort=-%cpu | head -30

Watch for processes with suspicious names like kdevtmpfsi, kinsing, .sshd (note the leading dot), or generic names like java, python3, or bash running from unusual paths such as /tmp, /dev/shm, or /var/tmp.

Unusual outbound network connections

Check for connections to unfamiliar IP addresses, especially on non-standard ports:

ss -tunap | grep ESTABLISHED
netstat -tunap | grep ESTABLISHED

A compromised server often phones home to a command-and-control server or sends traffic to targets it's attacking. Connections on ports like 4444, 5555, 6667 (IRC), or high-numbered random ports are red flags.

Modified system files and suspicious cron jobs

Check for recently modified files in system directories and unauthorized cron entries:

# Files modified in the last 3 days in system directories
find /etc /usr/bin /usr/sbin -mtime -3 -type f 2>/dev/null

# All cron jobs across all users
for user in $(cut -f1 -d: /etc/passwd); do
  crontab -l -u "$user" 2>/dev/null | grep -v '^#' | grep -v '^$' && echo "  ^ $user"
done

# Check system-wide cron directories
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/

Unfamiliar user accounts and SSH keys

Look for accounts or SSH keys that you didn't create:

# Recently added users
grep -v 'nologin\|false' /etc/passwd

# Check authorized_keys for all users
find / -name "authorized_keys" -type f 2>/dev/null -exec echo "=== {} ===" \; -exec cat {} \;

Web shells and backdoors

If you're running a web server, check for recently added or modified PHP, ASP, or JSP files:

# PHP files modified in the last 7 days
find /var/www -name "*.php" -mtime -7 -type f 2>/dev/null

# Look for common web shell signatures
grep -rl "eval\s*(base64_decode\|system\s*(\|passthru\|shell_exec" /var/www/ 2>/dev/null

Log anomalies

Review authentication and system logs for evidence of unauthorized access:

# Failed and successful SSH logins
grep -i "accepted\|failed" /var/log/auth.log | tail -50

# Sudo usage
grep "sudo" /var/log/auth.log | tail -30

Evidence Gathering Checklist

Before you wipe anything or begin restoring from backups, collect evidence. This is critical for abuse reports, and essential if law enforcement gets involved later. Save everything to an external location — not the compromised server itself.

Here's what to gather:

Authentication logs — /var/log/auth.log, /var/log/secure (failed and successful logins, sudo usage, SSH key authentications)
System logs — /var/log/syslog, /var/log/messages, journalctl output
Web server logs — Access and error logs from Apache (/var/log/apache2/) or Nginx (/var/log/nginx/)
Modified file inventory — Full list with timestamps using find / -mtime -7 -type f
Running process list — Full ps aux output captured at time of discovery
Network connections — ss -tunap or netstat -tunap output showing established connections
Cron entries — All cron jobs for all users
New user accounts — Any accounts added to /etc/passwd or /etc/shadow
SSH authorized keys — Any keys added to ~/.ssh/authorized_keys files
Malware samples — Copy any web shells, backdoors, or malicious scripts (keep in a password-protected archive)
Disk image — If possible, create a forensic image of the compromised disk before remediation

A quick way to capture the most critical runtime state:

mkdir /tmp/evidence-$(date +%Y%m%d)
cd /tmp/evidence-$(date +%Y%m%d)
ps aux > processes.txt
ss -tunap > connections.txt
last -50 > login_history.txt
cp /var/log/auth.log ./
cp /var/log/syslog ./
crontab -l > crontab_root.txt 2>&1
find / -mtime -3 -type f > modified_files.txt 2>/dev/null
tar czf evidence-bundle.tar.gz ./*

Transfer the bundle off the server immediately. Attackers who maintain access may tamper with or delete logs.

Finding the Abuse Contact

Once you've identified the attacker's source IP address from your logs, you need to find who's responsible for that IP. Use the IP Location tool to look up the IP — it returns the ISP, organization, ASN, and geographic information.

The WHOIS record for the IP will typically include an abuse-mailbox field with the correct email address for reporting. For major cloud and hosting providers, abuse contacts are well-documented:

AWS — [email protected]
Google Cloud — [email protected] (or through the GCP console)
Microsoft Azure — abuse portal at msrc.microsoft.com
DigitalOcean — [email protected]
OVH — [email protected]
Hetzner — [email protected]

If the attacker's IP belongs to a hosting provider, that provider can take direct action against the offending account. If it belongs to a residential ISP, the response may be slower, but the ISP can notify the subscriber whose machine may itself be compromised and part of a botnet.

You can also use the Port Scanner to check what services are exposed on your own server — this helps you understand the attack surface that was exploited and document it in your report.

Hacked Server Abuse Report Template

A well-structured report gets faster results. Include all relevant details so the recipient can identify the attacker's account and take action without needing to ask follow-up questions.

Subject: Abuse Report – Server Compromise Originating from [IP ADDRESS]

To Whom It May Concern,

I am reporting a server compromise that originated from an IP address
under your administration.

-- Attacker Information --
Source IP: [ATTACKER_IP]
Attacker ASN: [ASN_NUMBER]
Attack Method: [e.g., SSH brute force, web application exploit, etc.]

-- Victim Server Information --
Server IP: [YOUR_SERVER_IP]
Hosting Provider: [YOUR_PROVIDER]
Operating System: [e.g., Ubuntu 22.04 LTS]
Primary Service: [e.g., Web server running Apache/Nginx]

-- Timeline --
Estimated compromise date: [DATE/TIME with timezone]
Discovery date: [DATE/TIME with timezone]
Containment date: [DATE/TIME with timezone]

-- Evidence Summary --
The following evidence ties the attack to the reported IP address:

1. Authentication logs showing [brute-force attempts / successful login]
   from [ATTACKER_IP] beginning [DATE/TIME]:
   [PASTE RELEVANT LOG LINES - 10-15 lines max]

2. Network connections from the compromised server to [ATTACKER_IP]
   observed on port [PORT]:
   [PASTE ss/netstat OUTPUT]

3. Malicious activity performed post-compromise:
   - [e.g., Cryptocurrency miner deployed at /tmp/.hidden/xmrig]
   - [e.g., Web shell installed at /var/www/html/uploads/cmd.php]
   - [e.g., Outbound SSH scans launched against multiple /24 ranges]

-- Impact --
[Describe impact: data exposure, service disruption, spam sent, etc.]

-- Request --
Please investigate the reported IP address and take appropriate action
to prevent further attacks from this source. If the server at this IP
has itself been compromised, I would appreciate notification to its owner.

I have preserved full forensic evidence and logs and can provide
additional details upon request.

Regards,
[YOUR NAME]
[YOUR ROLE / ORGANIZATION]
[CONTACT EMAIL]

Attach the evidence bundle or offer to share it via a secure method. Avoid sending malware samples directly in email attachments — most mail systems will strip them.

Where to Report

Your hosting provider (first priority)

Your own hosting provider should be your first call. They need to know about the compromise because:

They may detect ongoing malicious activity from your server that you haven't noticed yet
They can help with forensic analysis or provide additional logs (network-level traffic data you don't have access to)
Some providers have incident response teams that will assist with containment
There may be contractual or regulatory obligations to disclose breaches

Most hosting control panels have a support or security incident reporting mechanism. For urgent situations, use phone support if available.

The attacker's ISP

Send your abuse report to the ISP that owns the attacker's source IP. Use the abuse contact from the WHOIS record. This is how you shut down the attacker's infrastructure or get a compromised intermediary server cleaned up.

Cloud provider abuse portals

If the attack came from a major cloud provider, use their dedicated abuse forms in addition to email. These often get routed more quickly:

AWS — aws.amazon.com/forms/report-abuse
Google Cloud — support.google.com/code/contact/cloud_platform_report
Microsoft Azure — msrc.microsoft.com/report/abuse
DigitalOcean — digitalocean.com/company/contact (abuse category)

Law enforcement

For serious breaches involving data theft, financial loss, or personally identifiable information, you should also report to law enforcement. I cover this process in detail in my guide on reporting cybercrime to law enforcement and the FBI IC3. Key points: file an IC3 complaint in the US, or contact your national CERT if you're outside the US.

Common Compromise Scenarios

Web application exploit

WordPress, Joomla, Drupal, and other CMS platforms are frequent targets. Attackers exploit outdated plugins, themes, or core versions to upload web shells. In your report, include:

The vulnerable component and version (e.g., "WordPress 5.8 with Contact Form 7 plugin v5.4")
The web shell path and contents
Access log entries showing the exploit payload

Check access logs for POST requests to unusual paths — this often reveals the initial exploitation vector.

SSH or RDP credential compromise

Whether through brute force or stolen credentials, remote access compromises are common. Your auth logs will show the evidence clearly. I cover this attack type and reporting process in detail in my guide on reporting brute-force SSH and RDP attacks. Include failed login counts, the successful authentication timestamp, and any lateral movement observed afterward.

Supply chain compromise

Sometimes the breach comes through a compromised software dependency — a malicious npm package, a backdoored Docker image, or a tampered update. These are harder to trace to a single IP, but you should still report what you find. The attacker's C2 server IP will be in your network connection logs.

Cryptojacking

Cryptocurrency mining is one of the most common payloads after a server compromise. Signs include sustained 100% CPU usage, processes named xmrig, kdevtmpfsi, or kinsing, and outbound connections to mining pools on ports 3333, 5555, or 14433. In your report, include the mining pool address and wallet ID if you can extract them from the miner's configuration — this can help trace the attacker across multiple compromised servers. My guide on reporting malware and botnet C2 traffic covers the C2 reporting angle in more detail.

What to Expect After Reporting

Response times vary significantly depending on who you're reporting to.

Your hosting provider — Expect a response within hours for a security incident. Most providers take compromise reports seriously because a hacked server on their network affects their reputation and other customers. They may suspend your server temporarily while the situation is resolved.

The attacker's ISP — Cloud providers with automated abuse systems (AWS, GCP, DigitalOcean) typically respond within 24-48 hours and may suspend the offending instance. Traditional ISPs may take 3-7 business days. Some providers in certain jurisdictions may not respond at all.

Law enforcement — IC3 complaints are logged and may be used in aggregate investigations, but don't expect individual case follow-up unless the breach is large-scale. National CERTs may provide incident response guidance.

Don't be discouraged by slow responses. Each report contributes to a pattern that abuse teams and law enforcement use to build cases and take down infrastructure. If you don't receive a response within a reasonable timeframe, escalate — resend the report, CC the provider's NOC, or use their online abuse portal if you initially used email.

Prevention: Reducing the Risk of Future Compromise

Once you've reported and recovered, take steps to harden your infrastructure:

Patch consistently — Apply security updates within 24-48 hours of release, especially for internet-facing services. Most compromises exploit known vulnerabilities with available patches.
Enforce key-based SSH authentication — Disable password authentication entirely. This eliminates brute-force SSH attacks as a vector.
Minimize your attack surface — Run only the services you need. Use a firewall to block all ports except those required. Check what's exposed with the Port Scanner.
Implement monitoring — Set up alerts for unusual CPU usage, outbound connections to unfamiliar IPs, new user accounts, and modified system files. Tools like OSSEC, Wazuh, or even simple cron scripts that check for changes can catch compromises early.
Use the principle of least privilege — Web applications should run as non-root users with minimal filesystem permissions. Database accounts should have only the permissions they need.
Maintain tested backups — Keep offline or immutable backups. Test your restoration process regularly. A clean backup is your fastest path to recovery.
Enable multi-factor authentication — For all administrative access including SSH (via PAM modules), control panels, and CMS admin interfaces.

Frequently Asked Questions

This article was researched and structured by the author with AI assistance for drafting and technical verification.

How to Identify a Server Compromise

Unexpected processes

Look for processes you don't recognize, especially those running as root or under web server user accounts:

ps aux --sort=-%cpu | head -30

Unusual outbound network connections

Check for connections to unfamiliar IP addresses, especially on non-standard ports:

ss -tunap | grep ESTABLISHED
netstat -tunap | grep ESTABLISHED

Modified system files and suspicious cron jobs

Check for recently modified files in system directories and unauthorized cron entries:

# Files modified in the last 3 days in system directories
find /etc /usr/bin /usr/sbin -mtime -3 -type f 2>/dev/null

# All cron jobs across all users
for user in $(cut -f1 -d: /etc/passwd); do
  crontab -l -u "$user" 2>/dev/null | grep -v '^#' | grep -v '^$' && echo "  ^ $user"
done

# Check system-wide cron directories
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/

Unfamiliar user accounts and SSH keys

Look for accounts or SSH keys that you didn't create:

# Recently added users
grep -v 'nologin\|false' /etc/passwd

# Check authorized_keys for all users
find / -name "authorized_keys" -type f 2>/dev/null -exec echo "=== {} ===" \; -exec cat {} \;

Web shells and backdoors

If you're running a web server, check for recently added or modified PHP, ASP, or JSP files:

# PHP files modified in the last 7 days
find /var/www -name "*.php" -mtime -7 -type f 2>/dev/null

# Look for common web shell signatures
grep -rl "eval\s*(base64_decode\|system\s*(\|passthru\|shell_exec" /var/www/ 2>/dev/null

Log anomalies

Review authentication and system logs for evidence of unauthorized access:

# Failed and successful SSH logins
grep -i "accepted\|failed" /var/log/auth.log | tail -50

# Sudo usage
grep "sudo" /var/log/auth.log | tail -30

Evidence Gathering Checklist

Here's what to gather:

Authentication logs — /var/log/auth.log, /var/log/secure (failed and successful logins, sudo usage, SSH key authentications)
System logs — /var/log/syslog, /var/log/messages, journalctl output
Web server logs — Access and error logs from Apache (/var/log/apache2/) or Nginx (/var/log/nginx/)
Modified file inventory — Full list with timestamps using find / -mtime -7 -type f
Running process list — Full ps aux output captured at time of discovery
Network connections — ss -tunap or netstat -tunap output showing established connections
Cron entries — All cron jobs for all users
New user accounts — Any accounts added to /etc/passwd or /etc/shadow
SSH authorized keys — Any keys added to ~/.ssh/authorized_keys files
Malware samples — Copy any web shells, backdoors, or malicious scripts (keep in a password-protected archive)
Disk image — If possible, create a forensic image of the compromised disk before remediation

A quick way to capture the most critical runtime state:

mkdir /tmp/evidence-$(date +%Y%m%d)
cd /tmp/evidence-$(date +%Y%m%d)
ps aux > processes.txt
ss -tunap > connections.txt
last -50 > login_history.txt
cp /var/log/auth.log ./
cp /var/log/syslog ./
crontab -l > crontab_root.txt 2>&1
find / -mtime -3 -type f > modified_files.txt 2>/dev/null
tar czf evidence-bundle.tar.gz ./*

Transfer the bundle off the server immediately. Attackers who maintain access may tamper with or delete logs.

Finding the Abuse Contact

The WHOIS record for the IP will typically include an abuse-mailbox field with the correct email address for reporting. For major cloud and hosting providers, abuse contacts are well-documented:

AWS — [email protected]
Google Cloud — [email protected] (or through the GCP console)
Microsoft Azure — abuse portal at msrc.microsoft.com
DigitalOcean — [email protected]
OVH — [email protected]
Hetzner — [email protected]

You can also use the Port Scanner to check what services are exposed on your own server — this helps you understand the attack surface that was exploited and document it in your report.

Hacked Server Abuse Report Template

A well-structured report gets faster results. Include all relevant details so the recipient can identify the attacker's account and take action without needing to ask follow-up questions.

Subject: Abuse Report – Server Compromise Originating from [IP ADDRESS]

To Whom It May Concern,

I am reporting a server compromise that originated from an IP address
under your administration.

-- Attacker Information --
Source IP: [ATTACKER_IP]
Attacker ASN: [ASN_NUMBER]
Attack Method: [e.g., SSH brute force, web application exploit, etc.]

-- Victim Server Information --
Server IP: [YOUR_SERVER_IP]
Hosting Provider: [YOUR_PROVIDER]
Operating System: [e.g., Ubuntu 22.04 LTS]
Primary Service: [e.g., Web server running Apache/Nginx]

-- Timeline --
Estimated compromise date: [DATE/TIME with timezone]
Discovery date: [DATE/TIME with timezone]
Containment date: [DATE/TIME with timezone]

-- Evidence Summary --
The following evidence ties the attack to the reported IP address:

1. Authentication logs showing [brute-force attempts / successful login]
   from [ATTACKER_IP] beginning [DATE/TIME]:
   [PASTE RELEVANT LOG LINES - 10-15 lines max]

2. Network connections from the compromised server to [ATTACKER_IP]
   observed on port [PORT]:
   [PASTE ss/netstat OUTPUT]

3. Malicious activity performed post-compromise:
   - [e.g., Cryptocurrency miner deployed at /tmp/.hidden/xmrig]
   - [e.g., Web shell installed at /var/www/html/uploads/cmd.php]
   - [e.g., Outbound SSH scans launched against multiple /24 ranges]

-- Impact --
[Describe impact: data exposure, service disruption, spam sent, etc.]

-- Request --
Please investigate the reported IP address and take appropriate action
to prevent further attacks from this source. If the server at this IP
has itself been compromised, I would appreciate notification to its owner.

I have preserved full forensic evidence and logs and can provide
additional details upon request.

Regards,
[YOUR NAME]
[YOUR ROLE / ORGANIZATION]
[CONTACT EMAIL]

Attach the evidence bundle or offer to share it via a secure method. Avoid sending malware samples directly in email attachments — most mail systems will strip them.

Where to Report

Your hosting provider (first priority)

Your own hosting provider should be your first call. They need to know about the compromise because:

They may detect ongoing malicious activity from your server that you haven't noticed yet
They can help with forensic analysis or provide additional logs (network-level traffic data you don't have access to)
Some providers have incident response teams that will assist with containment
There may be contractual or regulatory obligations to disclose breaches

Most hosting control panels have a support or security incident reporting mechanism. For urgent situations, use phone support if available.

The attacker's ISP

Cloud provider abuse portals

If the attack came from a major cloud provider, use their dedicated abuse forms in addition to email. These often get routed more quickly:

AWS — aws.amazon.com/forms/report-abuse
Google Cloud — support.google.com/code/contact/cloud_platform_report
Microsoft Azure — msrc.microsoft.com/report/abuse
DigitalOcean — digitalocean.com/company/contact (abuse category)

Law enforcement

Common Compromise Scenarios

Web application exploit

WordPress, Joomla, Drupal, and other CMS platforms are frequent targets. Attackers exploit outdated plugins, themes, or core versions to upload web shells. In your report, include:

The vulnerable component and version (e.g., "WordPress 5.8 with Contact Form 7 plugin v5.4")
The web shell path and contents
Access log entries showing the exploit payload

Check access logs for POST requests to unusual paths — this often reveals the initial exploitation vector.

SSH or RDP credential compromise

Supply chain compromise

Cryptojacking

What to Expect After Reporting

Response times vary significantly depending on who you're reporting to.

Prevention: Reducing the Risk of Future Compromise

Once you've reported and recovered, take steps to harden your infrastructure:

Patch consistently — Apply security updates within 24-48 hours of release, especially for internet-facing services. Most compromises exploit known vulnerabilities with available patches.
Enforce key-based SSH authentication — Disable password authentication entirely. This eliminates brute-force SSH attacks as a vector.
Minimize your attack surface — Run only the services you need. Use a firewall to block all ports except those required. Check what's exposed with the Port Scanner.
Implement monitoring — Set up alerts for unusual CPU usage, outbound connections to unfamiliar IPs, new user accounts, and modified system files. Tools like OSSEC, Wazuh, or even simple cron scripts that check for changes can catch compromises early.
Use the principle of least privilege — Web applications should run as non-root users with minimal filesystem permissions. Database accounts should have only the permissions they need.
Maintain tested backups — Keep offline or immutable backups. Test your restoration process regularly. A clean backup is your fastest path to recovery.
Enable multi-factor authentication — For all administrative access including SSH (via PAM modules), control panels, and CMS admin interfaces.

How to Report a Hacked Server: Filing Abuse Reports After a Compromise

How to Identify a Server Compromise

Unexpected processes

Unusual outbound network connections

Modified system files and suspicious cron jobs

Unfamiliar user accounts and SSH keys

Web shells and backdoors

Log anomalies

Evidence Gathering Checklist

Finding the Abuse Contact

Hacked Server Abuse Report Template

Where to Report

Your hosting provider (first priority)

The attacker's ISP

Cloud provider abuse portals

Law enforcement

Common Compromise Scenarios

Web application exploit

SSH or RDP credential compromise

Supply chain compromise

Cryptojacking

What to Expect After Reporting

Prevention: Reducing the Risk of Future Compromise

Frequently Asked Questions

Frequently Asked Questions

Should I report the compromise if I've already cleaned up and secured the server?

My server was used to attack others — am I liable?

Should I shut down the server immediately or leave it running to collect evidence?

What if the attacker's IP is behind a VPN or proxy?

Do I need to report a server compromise to data protection authorities?

How do I preserve evidence without tampering with it?

Can my hosting provider help with the forensic investigation?

Categories:

About the Author

Share this article

Related Articles

How to Report a Hacked Server: Filing Abuse Reports After a Compromise

How to Identify a Server Compromise

Unexpected processes

Unusual outbound network connections

Modified system files and suspicious cron jobs

Unfamiliar user accounts and SSH keys

Web shells and backdoors

Log anomalies

Evidence Gathering Checklist

Finding the Abuse Contact

Hacked Server Abuse Report Template

Where to Report

Your hosting provider (first priority)

The attacker's ISP

Cloud provider abuse portals

Law enforcement

Common Compromise Scenarios

Web application exploit

SSH or RDP credential compromise

Supply chain compromise

Cryptojacking

What to Expect After Reporting

Prevention: Reducing the Risk of Future Compromise

Frequently Asked Questions

Frequently Asked Questions

Should I report the compromise if I've already cleaned up and secured the server?

My server was used to attack others — am I liable?

Should I shut down the server immediately or leave it running to collect evidence?

What if the attacker's IP is behind a VPN or proxy?

Do I need to report a server compromise to data protection authorities?

How do I preserve evidence without tampering with it?

Can my hosting provider help with the forensic investigation?

Categories:

About the Author

Share this article

Related Articles