This means someone has full access to the system, here are the tell tale signs in order of most likely to give you a quick feel for what’s going on.
1. Have a look for system files that have changed recently. This is the first thing I would do.
find /etc /var -mtime -2
The “-2” means 2 days, i.e. show me all files modified in the last 2 days.
Now if you haven’t installed any new software on your server for a while then this command will run and produce very little output. For a server I investigated there were references to postfix. clearly someone had installed a mail server probably for sending spam.
2. Run who
who user1 pts/2 2012-03-28 13:38 (22.214.171.124)
This should give you a list of users on the system, what you’re looking for is users other than yourself especially root. Continue reading “How to check if your server has been hacked” »