I am a web developer and we have no one who specializes in the well being of the server or network currently at our office. Usually, I can solve a lot of problems related to my basic knowledge, but currently, we have strange things and I do not know what's going on, so I'm looking for some advice from someone a lot more competent than me a little light if possible.
We have an ecloud server hosted by UK Fast (Linux server) and which contains a VPS server and many client sites. Yesterday, the server fell at random and when we realized, we called them and they said that someone had SSH in and executed the command
sudo rm TSG-server.pub which essentially deleted our entire server. UK quickly managed to get an IP address indicating the origin of the user who accessed it, but 1. I do not know how it helps and 2. they could have used a VPN anyway .
What is strange is that they had a connection attempt and that it was a success … So whatever it was, knew the password or got it from somewhere. The only place we have our password is on LastPass and no one else knows it. So we restored the backup and recovered everything, changed the password and called a day.
So, break for this morning and it's happened again … except this time they left no trace of anyone because they made sure to remove the logs as well …
How could they do that and how can we stop that? I do not even know where to start …
Does anyone have any idea of how this could happen, please?