{"id":96,"date":"2012-01-24T04:29:00","date_gmt":"2012-01-24T04:29:00","guid":{"rendered":"http:\/\/pheonixsolutions.com\/?p=96"},"modified":"2012-01-24T04:29:00","modified_gmt":"2012-01-24T04:29:00","slug":"check-if-the-server-is-hacked-or-not","status":"publish","type":"post","link":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/","title":{"rendered":"Check if the server is hacked or not"},"content":{"rendered":"
How to check if the server is hacked or not?<\/p>\n

These are the simple steps to check if your server got hacked or free from hack.<\/p>\n

security – Check your server is hacked or not
Steps to investigate hacked linux server<\/p>\n

Steps to investigate hacked linux server<\/p>\n

Check your server is hacked or not<\/p>\n

Following are the few to investigate whether the linux server is hacked or not:<\/p>\n

Follow the steps one by one and analyse or check your linux server is hacked or not.<\/p>\n

Who is on the Server:
$ w <\/b><\/p>\n

$ netstat -nalp | grep “:22”<\/b><\/p>\n

OR<\/p>\n

$ w && netstat -nalp | grep “:22”<\/b>
The above commands will say who are all logged into the server.<\/p>\n

Who was on the Server
$ last<\/b><\/p>\n

$ cat \/var\/log\/secure* | grep ssh | grep Accept<\/b><\/p>\n

$ cat \/var\/log\/secure* | grep ftp | grep Accept<\/b><\/p>\n

Check what is the Current Network Activity of your server
$ netstat -nalp <\/b>

<\/b>
$ nmap localhost<\/b><\/p>\n

OR<\/p>\n

$ netstat -nalp && nmap localhost<\/b><\/p>\n

What Processes are Running:
$ ps -elf <\/b>

<\/b>
$ ls \/proc\/*\/exe -la<\/b><\/p>\n

What Files are in the Common Attack Points:
$ ls \/tmp -la <\/b>

<\/b>
$ ls \/var\/tmp -la <\/b>

<\/b>
$ ls \/dev\/shm -la<\/b>
These are all the common unsecured places where the hacker intrudes into your linux server.<\/p>\n

Don’t delete any thing or make changes just yet, just catalog every thing. Do not access a file with cat or strings, catalog the files and save that for later. Once you start deleting things you can no longer further investigate as to how deep they have penetrated. Don’t be fooled into seeing a common Apache compromise and think it ended there. Many times that was just the broken window they used to get in the first time, meanwhile they are tunneling deeper trying to get into root access.<\/p>\n

What version of Linux is running
$ cat \/etc\/redhat-release<\/b><\/p>\n

For non Red-Hat Linux
$ cat \/etc\/issue<\/b><\/p>\n

Compare this to the kernel
$ uname -a<\/b><\/p>\n

and<\/p>\n

$ cat \/proc\/version<\/b><\/p>\n

Who is the author of the file:
$ ls -la –author<\/b><\/p>\n

When was the last time the file has been accessed and by who:
$ ls -l –time=access<\/b><\/p>\n

Before you run off and use the cat command it is good to first check the file type with the file command. Many a time I myself have been fooled seeing a file marked as something.html and finding it was really a binary file.<\/p>\n

What kind of file is it(ASCII or Binary):
$ file filename<\/b><\/p>\n

OR<\/p>\n

$ file \/path\/to\/directory\/*<\/b><\/p>\n

You have been trying to be sneaky and not have any obvious virus scan running in the process list so as to not be detected, but that is tedious work and slow.<\/p>\n

Update the Locate Database:
$ updatedb &<\/b><\/p>\n

If this is a web server then the next thing to hunt for is signs of Apache exploits and SQL injection scripts. This nice little script was handed down to me from a co-worker and does a nice job of hunting through the log files rather than the long tedious work of searching manually.<\/p>\n

Search for Apache Exploit
$ for i in `locate access_log`; do echo $i; egrep -i ‘(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20’ $i; done<\/b><\/p>\n

OR<\/p>\n

$ egrep -i ‘(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20’ \/path\/to\/log\/files\/*<\/b><\/p>\n

cPanel
$ egrep -i ‘(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20’ \/usr\/local\/apache\/logs\/* <\/b><\/p>\n

$ egrep -i ‘(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20’ \/home\/*\/statistics\/logs\/*<\/b><\/p>\n

Ensim
egrep -i ‘(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20’\/home\/virtual\/site*\/fst\/var\/log\/httpd\/*<\/b><\/p>\n

Plesk
$ egrep -i ‘(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20’ \/home\/httpd\/vhosts\/*\/statistics\/logs\/* <\/b><\/p>\n

$ egrep -i ‘(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20’ \/var\/log\/httpd\/*<\/b><\/p>\n

Search for Shell Code:
$ cat \/path\/to\/access\/logs\/* | grep “\/x90\/”<\/b><\/p>\n

From these steps you can confirm that the server is hacked or protected. I hope these steps will help you a lot in trouble shooting the issues. Please give us your valuable comments if you like this post or if you have any\u00c2\u00a0quires.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

How to check if the server is hacked or not? These are the simple steps to check if your server got hacked or free from hack. security – Check your server is hacked or notSteps to investigate hacked linux server Steps to investigate hacked linux server Check your server is… Continue Reading Check if the server is hacked or not<\/span><\/i><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-96","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"hentry","6":"category-uncategorized","7":"h-entry","9":"h-as-article"},"yoast_head":"\nPheonix Solutions - We Empower Your Business Growth<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pheonix Solutions - We Empower Your Business Growth\" \/>\n<meta property=\"og:description\" content=\"How to check if the server is hacked or not? These are the simple steps to check if your server got hacked or free from hack. security – Check your server is hacked or notSteps to investigate hacked linux server Steps to investigate hacked linux server Check your server is… Continue Reading Check if the server is hacked or not\" \/>\n<meta property=\"og:url\" content=\"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/\" \/>\n<meta property=\"og:site_name\" content=\"PHEONIXSOLUTIONS\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/PheonixSolutions-209942982759387\/\" \/>\n<meta property=\"article:published_time\" content=\"2012-01-24T04:29:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pheonixsolutions.com\/blog\/wp-content\/uploads\/2016\/09\/PX2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"3837\" \/>\n\t<meta property=\"og:image:height\" content=\"2540\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@pheonixsolution\" \/>\n<meta name=\"twitter:site\" content=\"@pheonixsolution\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/0ffa33d73c869faec2d50e79c24e3503\"},\"headline\":\"Check if the server is hacked or not\",\"datePublished\":\"2012-01-24T04:29:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/\"},\"wordCount\":663,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/\",\"url\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/\",\"name\":\"Pheonix Solutions - We Empower Your Business Growth\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#website\"},\"datePublished\":\"2012-01-24T04:29:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/check-if-the-server-is-hacked-or-not\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Check if the server is hacked or not\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/\",\"name\":\"Pheonix Solutions\",\"description\":\"We Empower Your Business Growth\",\"publisher\":{\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#organization\",\"name\":\"PheonixSolutions\",\"url\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/12\\\/logo.png\",\"contentUrl\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/12\\\/logo.png\",\"width\":454,\"height\":300,\"caption\":\"PheonixSolutions\"},\"image\":{\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/PheonixSolutions-209942982759387\\\/\",\"https:\\\/\\\/x.com\\\/pheonixsolution\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/0ffa33d73c869faec2d50e79c24e3503\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/09bacc0294abee1322a23ab4bc6a0330dd4cb4df707dc9d0b0efeba6c109608b?s=96&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/09bacc0294abee1322a23ab4bc6a0330dd4cb4df707dc9d0b0efeba6c109608b?s=96&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/09bacc0294abee1322a23ab4bc6a0330dd4cb4df707dc9d0b0efeba6c109608b?s=96&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"http:\\\/\\\/pheonixsolutions.com\\\/blog\"],\"url\":\"https:\\\/\\\/pheonixsolutions.com\\\/blog\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Pheonix Solutions - We Empower Your Business Growth","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/","og_locale":"en_US","og_type":"article","og_title":"Pheonix Solutions - We Empower Your Business Growth","og_description":"How to check if the server is hacked or not? These are the simple steps to check if your server got hacked or free from hack. security – Check your server is hacked or notSteps to investigate hacked linux server Steps to investigate hacked linux server Check your server is… Continue Reading Check if the server is hacked or not","og_url":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/","og_site_name":"PHEONIXSOLUTIONS","article_publisher":"https:\/\/www.facebook.com\/PheonixSolutions-209942982759387\/","article_published_time":"2012-01-24T04:29:00+00:00","og_image":[{"width":3837,"height":2540,"url":"https:\/\/pheonixsolutions.com\/blog\/wp-content\/uploads\/2016\/09\/PX2.png","type":"image\/png"}],"author":"admin","twitter_card":"summary_large_image","twitter_creator":"@pheonixsolution","twitter_site":"@pheonixsolution","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/#article","isPartOf":{"@id":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/"},"author":{"name":"admin","@id":"https:\/\/pheonixsolutions.com\/blog\/#\/schema\/person\/0ffa33d73c869faec2d50e79c24e3503"},"headline":"Check if the server is hacked or not","datePublished":"2012-01-24T04:29:00+00:00","mainEntityOfPage":{"@id":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/"},"wordCount":663,"commentCount":0,"publisher":{"@id":"https:\/\/pheonixsolutions.com\/blog\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/","url":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/","name":"Pheonix Solutions - We Empower Your Business Growth","isPartOf":{"@id":"https:\/\/pheonixsolutions.com\/blog\/#website"},"datePublished":"2012-01-24T04:29:00+00:00","breadcrumb":{"@id":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/pheonixsolutions.com\/blog\/check-if-the-server-is-hacked-or-not\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/pheonixsolutions.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Check if the server is hacked or not"}]},{"@type":"WebSite","@id":"https:\/\/pheonixsolutions.com\/blog\/#website","url":"https:\/\/pheonixsolutions.com\/blog\/","name":"Pheonix Solutions","description":"We Empower Your Business Growth","publisher":{"@id":"https:\/\/pheonixsolutions.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/pheonixsolutions.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/pheonixsolutions.com\/blog\/#organization","name":"PheonixSolutions","url":"https:\/\/pheonixsolutions.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/pheonixsolutions.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/pheonixsolutions.com\/blog\/wp-content\/uploads\/2016\/12\/logo.png","contentUrl":"https:\/\/pheonixsolutions.com\/blog\/wp-content\/uploads\/2016\/12\/logo.png","width":454,"height":300,"caption":"PheonixSolutions"},"image":{"@id":"https:\/\/pheonixsolutions.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/PheonixSolutions-209942982759387\/","https:\/\/x.com\/pheonixsolution"]},{"@type":"Person","@id":"https:\/\/pheonixsolutions.com\/blog\/#\/schema\/person\/0ffa33d73c869faec2d50e79c24e3503","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/09bacc0294abee1322a23ab4bc6a0330dd4cb4df707dc9d0b0efeba6c109608b?s=96&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/09bacc0294abee1322a23ab4bc6a0330dd4cb4df707dc9d0b0efeba6c109608b?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09bacc0294abee1322a23ab4bc6a0330dd4cb4df707dc9d0b0efeba6c109608b?s=96&r=g","caption":"admin"},"sameAs":["http:\/\/pheonixsolutions.com\/blog"],"url":"https:\/\/pheonixsolutions.com\/blog\/author\/admin\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p7F4uM-1y","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/96","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/comments?post=96"}],"version-history":[{"count":0,"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/96\/revisions"}],"wp:attachment":[{"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/media?parent=96"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/categories?post=96"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pheonixsolutions.com\/blog\/wp-json\/wp\/v2\/tags?post=96"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}