How to check if your server has been hacked

Root compromises

This means someone has full access to the system, here are the tell tale signs in order of most likely to give you a quick feel for what’s going on.

1. Have a look for system files that have changed recently. This is the first thing I would do.

find /etc /var -mtime -2

The “-2” means 2 days, i.e. show me all files modified in the last 2 days.

Now if you haven’t installed any new software on your server for a while then this command will run and produce very little output. For a server I investigated there were references to postfix. clearly someone had installed a mail server probably for sending spam.

2. Run who

user1 pts/2 2012-03-28 13:38 (

This should give you a list of users on the system, what you’re looking for is users other than yourself especially root. Continue reading “How to check if your server has been hacked” »