Server security is critical for maintaining the integrity, confidentiality, and availability of your data and services. If you suspect unusual activity on your Linux server, it is important to investigate immediately to determine whether the system has been compromised. By checking user activity, running processes, network connections, and suspicious files, administrators can identify possible signs of intrusion or malicious activity.<\/p>\n\n\n\n
Before starting the investigation, ensure the following:<\/p>\n\n\n\n
Root or sudo access to the Linux server<\/p><\/li>\n\n\n\n
Basic knowledge of Linux commands and server administration<\/p><\/li>\n\n\n\n
Access to server log files<\/p><\/li>\n\n\n\n
Backup of important data before making any modifications<\/p><\/li>\n\n\n\n
Avoid deleting or modifying suspicious files during the initial investigation phase<\/p><\/li>\n<\/ul>\n\n\n\n
Use the following commands to identify active users and SSH connections:<\/p>\n\n\n\n
w\n<\/pre>\n\n\n\nnetstat -nalp | grep \":22\"\n<\/pre>\n\n\n\nOR<\/p>\n\n\n\n
w && netstat -nalp | grep \":22\"\n<\/pre>\n\n\n\nThese commands display currently logged-in users and active SSH sessions.<\/p>\n\n\n\n
\n\n\n\n2. Check Who Logged Into the Server Previously<\/h3>\n\n\n\n
last\n<\/pre>\n\n\n\ncat \/var\/log\/secure* | grep ssh | grep Accept\n<\/pre>\n\n\n\ncat \/var\/log\/secure* | grep ftp | grep Accept\n<\/pre>\n\n\n\nThese logs help identify successful SSH and FTP login attempts.<\/p>\n\n\n\n
\n\n\n\n3. Check Current Network Activity<\/h3>\n\n\n\n
netstat -nalp\n<\/pre>\n\n\n\nnmap localhost\n<\/pre>\n\n\n\nOR<\/p>\n\n\n\n
netstat -nalp && nmap localhost\n<\/pre>\n\n\n\nThese commands help identify listening ports, suspicious services, and unusual network activity.<\/p>\n\n\n\n
\n\n\n\n4. Check Running Processes<\/h3>\n\n\n\n
ps -elf\n<\/pre>\n\n\n\nls \/proc\/*\/exe -la\n<\/pre>\n\n\n\nReview running processes carefully for unknown or suspicious programs.<\/p>\n\n\n\n
\n\n\n\n5. Check Common Attack Locations<\/h3>\n\n\n\n
ls \/tmp -la\n<\/pre>\n\n\n\nls \/var\/tmp -la\n<\/pre>\n\n\n\nls \/dev\/shm -la\n<\/pre>\n\n\n\nThese directories are commonly used by attackers to store malicious scripts or binaries.<\/p>\n\n\n\n
\nImportant:<\/strong>
Do not delete or modify files immediately. First catalog and document suspicious files for further investigation.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\n6. Check Linux Version Information<\/h3>\n\n\n\n
For Red Hat-based systems:<\/p>\n\n\n\n
cat \/etc\/redhat-release\n<\/pre>\n\n\n\nFor non-Red Hat systems:<\/p>\n\n\n\n
cat \/etc\/issue\n<\/pre>\n\n\n\nCompare the output with:<\/p>\n\n\n\n
uname -a\n<\/pre>\n\n\n\nand<\/p>\n\n\n\n
cat \/proc\/version\n<\/pre>\n\n\n\nThis helps verify whether the kernel version matches the installed operating system version.<\/p>\n\n\n\n
\n\n\n\n7. Check File Ownership and Access Information<\/h3>\n\n\n\n
Check the author or owner of files:<\/p>\n\n\n\n
ls -la --author\n<\/pre>\n\n\n\nCheck file access times:<\/p>\n\n\n\n
ls -l --time=access\n<\/pre>\n\n\n\nThis helps identify recently accessed or modified files.<\/p>\n\n\n\n
\n\n\n\n8. Identify File Type<\/h3>\n\n\n\n
Before opening suspicious files, verify whether they are text or binary files:<\/p>\n\n\n\n
file filename\n<\/pre>\n\n\n\nOR<\/p>\n\n\n\n
file \/path\/to\/directory\/*\n<\/pre>\n\n\n\n
\n\n\n\n9. Update the Locate Database<\/h3>\n\n\n\n
updatedb &\n<\/pre>\n\n\n\nThis updates the locate database for faster file searches.<\/p>\n\n\n\n
\n\n\n\n10. Search for Apache Exploits<\/h3>\n\n\n\n
Search Apache access logs for common exploit patterns:<\/p>\n\n\n\n
for i in `locate access_log`; do echo $i; egrep -i '(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20' $i; done\n<\/pre>\n\n\n\nOR<\/p>\n\n\n\n
egrep -i '(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20' \/path\/to\/log\/files\/*\n<\/pre>\n\n\n\ncPanel Servers<\/h4>\n\n\n\n
egrep -i '(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20' \/usr\/local\/apache\/logs\/*\n<\/pre>\n\n\n\negrep -i '(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20' \/home\/*\/statistics\/logs\/*\n<\/pre>\n\n\n\nEnsim Servers<\/h4>\n\n\n\n
egrep -i '(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20' \/home\/virtual\/site*\/fst\/var\/log\/httpd\/*\n<\/pre>\n\n\n\nPlesk Servers<\/h4>\n\n\n\n
egrep -i '(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20' \/home\/httpd\/vhosts\/*\/statistics\/logs\/*\n<\/pre>\n\n\n\negrep -i '(chr\\(|system\\()|(curl|wget|chmod|gcc|perl)%20' \/var\/log\/httpd\/*\n<\/pre>\n\n\n\n
\n\n\n\n11. Search for Shell Code Patterns<\/h3>\n\n\n\n
cat \/path\/to\/access\/logs\/* | grep \"\/x90\/\"\n<\/pre>\n\n\n\nThis command searches for possible shellcode patterns in access logs.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
By following the above investigation steps, administrators can identify suspicious activity and determine whether a Linux server has been compromised. Regular monitoring of login activity, processes, network connections, and log files plays a major role in early threat detection and server protection. If signs of compromise are found, it is recommended to isolate the server, perform a detailed forensic analysis, and strengthen security measures immediately.<\/p>\n","protected":false},"excerpt":{"rendered":"