Any server connected to the internet for more than a few hours will come to the attention of online criminals. Usually, that attention is entirely automated: crawlers and bots trawl the internet looking for servers, probing them for vulnerabilities in the hope of finding a chink through which they can infiltrate ma and exfiltrate data.
To protect servers from online criminals, it’s useful to know exactly what their motives are: how do they benefit from taking control of a server. These criminals are pragmatic in the extreme, and before we look at some of the technical reasons they want servers, it’s important to understand the underlying motivation: money. The ultimate goal is always to generate revenue for the criminal, whether directly or indirectly.
There are different ways online criminals can make money, and most of them depend on having access to a reliable source of bandwidth and computational power. No one wants criminals to have access to their servers, and, when they find out they’ve been hacked, server admins immediately close whichever hole the attacker slithered through. Criminals have to constantly replenish their stock of compromised machines, which is why they’re always on the look out for vulnerable servers.
A botnet is essentially a network of compromised computers under the control of a hacker. They’re used for a wide variety of purposes. One of the most common is as a platform to host the scanners and crawlers we mentioned earlier. Large botnets constantly prowl the web in search of vulnerable servers, content management systems, and eCommerce stores.
But they’re also used to launch distributed denial of service attacks. DDoS attacks use many different machines to bombard victims with huge amounts of bandwidth, knocking them off the internet. That much bandwidth is hard to come by, and the criminals certainly don’t want to pay for it, so they compromise servers and install software that can be used to direct the server to spray data at targets of their choice.
You may not see much spam because modern spam filtering technology is very good. However, millions of spam emails are sent every day, most of it from compromised servers.
When inbox providers and blacklist maintainers realize spam is being sent from a server, they will block its IP address, which, in addition to having your server's resources wasted, will mean you can no longer send legitimate email from it.
Imagine that one day you receive the bill for your cloud infrastructure hosting, and it’s ten or even a hundred times larger than usual. This is not an uncommon scenario. Bitcoin miners target insecure servers and install mining software that uses the computer’s processing power to mine new Bitcoins.
The worst attacks of this sort happen when cloud management credentials fall into the hands of hackers, allowing them to spin up many high-compute servers, which can lead to a very surprising bill.
For companies that store sensitive data, a compromised server can be a disaster. The majority of hacked servers aren’t the result of targeted attacks against a company, but a company can have its reputation and competitive advantage if user or company data is leaked.
Finally, hackers use compromised servers to host websites that serve malware to unsuspecting visitors. Visitors are drawn to these sites by malicious advertising or phishing attacks, and when they arrive, their computers will be probed for weaknesses and compromised.
For the most part, your server won’t be targeted by a highly motivated and sophisticated attacker. Most attacks are part of the everyday automated numbers game played by online criminals. If you keep your servers’ software up-to-date and use unique and sufficiently complex authentication credentials, the chances of a successful attack against your server are reduced.
But, if your servers are targeted and compromised, it pays to use malware scanning and intrusion detection systems to find out sooner rather than later.