Linux – How to know if the Linux server has been hacked

audithackinglinuxSecurity

What are the tell-tale signs that a Linux server has been hacked? Are there any tools that can generate and email an audit report on a scheduled basis?

Best Answer

Keep a pristine copy of critical system files (such as ls, ps, netstat, md5sum) somewhere, with an md5sum of them, and compare them to the live versions regularly. Rootkits will invariably modify these files. Use these copies if you suspect the originals have been compromised.
aide or tripwire will tell you of any files that have been modified - assuming their databases have not been tampered with.
Configure syslog to send your logfiles to a remote log server where they can't be tampered with by an intruder. Watch these remote logfiles for suspicious activity
read your logs regularly - use logwatch or logcheck to synthesize the critical information.
Know your servers. Know what kinds of activities and logs are normal.

Related Solutions

Linux – How to clean up hacked user account (not root)

You can never be completely sure what they did on the user account. But places to start are the .*history files in the home directory.

My advice would be to copy out the known good/important data and then blow the rest away. The intruder could have left any sorts of nasty surprises in configuration files, .bashrc, etc.

You should also check to see if any files owned by the user are on the system and look for running processes:

# find / -user USERNAME
# ps -a -u USERNAME

For the future, I would advise turning on process accounting. You can then check previously run commands using 'lastcomm'.

How do companies know they’ve been hacked

Generally they look for subtle forensic clues; such as their homepage being changed to a banner which reads "p0Wned by TeH L33t Krew!! haahah1h1!! u noobs"

Best Answer

Related Solutions

Linux – How to clean up hacked user account (not root)

How do companies know they’ve been hacked

Related Topic