Cloud Service >> Knowledgebase >> Linux >> How to Check if a Linux Server is Hacked: A Step-by-Step Guide
submit query

Cut Hosting Costs! Submit Query Today!

How to Check if a Linux Server is Hacked: A Step-by-Step Guide

In today's digital landscape, the security of your server, whether hosted on-premises or in the cloud, is a top priority. A hacked Linux server can lead to data theft, service disruptions, and even widespread system compromise. Detecting a compromised server early can help mitigate potential damage. This guide will walk you through the steps to check if your Linux hosting environment is compromised, and what actions to take if it is.

Signs of a Potentially Hacked Linux Server

Before diving into the technical checks, it’s important to know the common symptoms that indicate a server may have been compromised:

Unusual activity: Anomalies such as unauthorized login attempts or unexpected server performance degradation.

Unauthorized processes: Suspicious processes running on the server that consume excessive resources.

Unexpected files: Presence of unfamiliar files, or files that have been altered without explanation.

Server crashes: Frequent server crashes or slowdowns that occur without a clear cause.

Step 1: Monitor Login Activity

One of the first places to check is the login activity on your server. Hackers typically gain access to a Linux server by exploiting weak passwords or vulnerabilities in services. Monitoring login attempts will give you a quick indication of unauthorized access.

Commands to Check Login Attempts:

Use the following command to check recent login attempts:
lastlog

This will show you the last login for each user on the system.

To check failed login attempts, use:
sudo cat /var/log/auth.log | grep "Failed"

This command checks the auth.log file, where Linux records login attempts. If there are many failed login attempts in a short period, it could indicate a brute-force attack.

Step 2: Check for Suspicious Processes

Hackers often run malicious scripts or backdoors in the background. Use these commands to check for any unusual processes that are running on your Linux server.

Commands to Check Running Processes:

Run the top command to see a real-time list of processes:
top

Look for processes that are consuming excessive CPU or memory resources, especially if they’re unfamiliar.

To see all running processes, use:
ps aux

Look for strange or unfamiliar processes. Legitimate processes will typically be associated with known programs, while malicious processes may have random names or obscure locations.

Additionally, use:
sudo lsof -i -P -n

This command lists all open ports and their associated processes. Unfamiliar or open ports can be signs of unauthorized access.

Step 3: Check for Unusual Network Activity

Hackers often exfiltrate data or use Linux servers to launch attacks on other systems. Monitoring network activity is essential to detect suspicious outbound connections.

Commands to Monitor Network Activity:

Use the netstat command to list network connections and their statuses:
netstat -tulnp

Look for connections on unusual ports or foreign IP addresses that seem out of place.

You can also use iftop for a real-time overview of bandwidth usage:
sudo iftop

This tool helps monitor network traffic and detect any unusual data transfer or suspicious IP addresses.

Step 4: Review File Integrity

One of the most reliable ways to detect a hacked Linux server is by checking for modifications to critical system files or the presence of unfamiliar files. Hackers often replace or alter system files to maintain control over the server.

Commands to Check for Changes:

Check for newly modified files using the find command:
sudo find / -type f -mtime -1

This will show files that have been modified in the last 24 hours. Any unexpected modifications could indicate that a malicious script or backdoor was added to the system.

To monitor file integrity, consider using tools like AIDE (Advanced Intrusion Detection Environment), which helps detect unauthorized file modifications:
sudo aide --check

Step 5: Investigate Installed Software

Hackers often install malicious software or backdoors on the Linux server to maintain access. It’s important to regularly review the software packages installed on your server.

Commands to Check Installed Packages:

To list all installed packages, use:
dpkg --get-selections

or for RPM-based distributions:
rpm -qa

Look for packages that you didn’t install or recognize. These could be malware or unauthorized tools.

Step 6: Review Scheduled Jobs (Cron Jobs)

Malicious actors often use cron jobs to schedule tasks like running scripts or keeping a backdoor open. Check for unauthorized cron jobs that might have been scheduled by an attacker.

Commands to Check Cron Jobs:

To view system-wide cron jobs, use:
sudo cat /etc/crontab

sudo ls /etc/cron.d/

Review the output for any unfamiliar entries that don’t belong to system administrators or your legitimate software.

For user-specific cron jobs, use:
crontab -l

Step 7: Examine Logs for Suspicious Activity

Examining log files for abnormal activity is crucial when investigating a compromised Linux server. Logs provide detailed insights into what has been happening on the server.

Logs to Review:

Auth.log: This log keeps track of authentication-related events, including logins and sudo activity.
sudo cat /var/log/auth.log

Syslog: This log stores general system activities and may contain clues about unusual behavior.
sudo cat /var/log/syslog

Step 8: Use Security Tools

Several security tools are available to help detect vulnerabilities and intrusions on a Linux server.

Chkrootkit: A tool that helps identify rootkits, a common form of malware.
sudo chkrootkit

Rkhunter: Another tool to check for rootkits and other suspicious activity.

sudo rkhunter --check

Conclusion

Detecting a hacked server involves a systematic check for suspicious processes, file changes, network activity, and unauthorized access. By regularly monitoring these areas, you can identify potential breaches early and take steps to protect your Linux server. If you suspect your server is compromised, it’s critical to take immediate action to isolate the server, investigate further, and, if necessary, restore from a secure backup.

By implementing strong security practices, maintaining up-to-date software, and monitoring server logs and processes, you can better safeguard your cloud hosting environment against attacks.

Cut Hosting Costs! Submit Query Today!

Grow With Us

Let’s talk about the future, and make it happen!