How to Check if a Linux Server is Hacked


The following steps may help you find traces of hacking on your Linux server.  
1 Monitor users’ activities
2 Check system process
3 Check the network traffic
4 Check cron jobs
5 Check Rootkits infections

1 Monitor users’ activities    

1.1 Check the currently logged-in user

First, log in to your Linux server to view the currently logged-in user through the command "w". Then, go to to check the logged-in IP address. If there are any unfamiliar IPs, your server may be hacked.
# w

1.2 Check recently logged in users and IP information

Use the command "last -10" to view the information of users who have recently logged in to the system.
# last -10

1.3 Check the bash history

If you suspect a specific user of malicious activity, you can check the bash history. Log in as the user you would like to investigate and run the commands below.
# su <user>
# history

2 Check system process

The first step is to check if there are any unknown or suspicious processes.

2.1 Check processes with high CPU and memory usage

Use the command "top" to view the processes that occupy more than 30% of the CPU or memory. If it is not the process you are running, your Linux server may be implanted with malicious programs.
# top

2.2 Check all processes

View all process information through the command "ps -aux".
# ps -aux

2.3 Check process-related files based on PID

Check the files opened by the process by the command "lsof -p PID". Please replace the PID with the PID number of the suspicious process obtained in the previous two steps.
If it prompts the "-bash: lsof: command not found" error, you need to install lsof:
CentOS: yum install -y lsof
Ubuntu: sudo apt-get install -y lsof
# lsof -p PID

2.4 Check the exe file of suspicious process

Use the command "ll /proc/PID/exe" to view the exe file associated with the suspicious process. Make sure to replace the PID with the PID number of the suspicious process obtained in the previous two steps. If you detect any suspicious script file, then your Linux server is probably hacked.
# ll /proc/PID/exe

3 Check network traffic

If a hacker keeps something in your system for communication or sending messages, you can detect it by monitoring your traffic for unusual activity.

3.1 Check bandwidth usage

Use the command "iftop -n -P" to monitor the current network traffic.
# iftop -n –P
If it prompts the "-bash: iftop: command not found" error, you need to install iftop first:
CentOS: yum install -y iftop
Ubuntu: sudo apt-get install -y iftop
The first column shows the localhost, => and <= indicates the traffic is incoming and outgoing respectively. Some are followed by the remote host addresses.
The last column presents the bandwidth used by each connection.
TX: send traffic
RX: receive traffic
TOTAL: total traffic
Cum: Total traffic from running iftop to the current time
peak: peak flow
For more information about the command "iftop", please access 

3.2 Check listening and active ports

Check the listening and active ports by running the command "netstat -la".
# nestat -la

4 Check cron jobs

Hackers may place cron scheduled tasks in /etc/crontab, which will run malicious commands regularly.
Use the following command to view the scheduled tasks that the current user is running:
crontab -l
View scheduled tasks of other users:
crontab -u username -l
To view the daily, hourly, weekly and monthly cron jobs, use the following command:
ls -la /etc/cron.hourly
ls -la /etc/cron.daily
ls -la /etc/cron.weekly
ls -la /etc/cron.monthly
Edit cron jobs:
crontab -e
service crond restart

5 Check Rootkits infections

Rootkit is one of the most dangerous threats to devices. It may result in a system re-installation or even a forced hardware replacement. There is a simple command which can help us to detect the most known rootkits, the command "chkrootkit"(check rootkits).
First, we need to install chkrootkit:
CentOS: Run the following commands:
cd ~
tar xvf chkrootkit.tar.gz
cd chkrootkit-*
make sense
# apt-get update
# apt install chkrootkit -y
# chkrootkit

Add Feedback