1 Monitor users’ activities
2 Check system process
3 Check the network traffic
4 Check cron jobs
5 Check Rootkits infections
First, log in to your Linux server to view the currently logged-in user through the command "w". Then, go to https://www.iplocation.net/ to check the logged-in IP address. If there are any unfamiliar IPs, your server may be hacked.
Use the command "last -10" to view the information of users who have recently logged in to the system.
If you suspect a specific user of malicious activity, you can check the bash history. Log in as the user you would like to investigate and run the commands below.
Use the command "top" to view the processes that occupy more than 30% of the CPU or memory. If it is not the process you are running, your Linux server may be implanted with malicious programs.
View all process information through the command "ps -aux".
Check the files opened by the process by the command "lsof -p PID". Please replace the PID with the PID number of the suspicious process obtained in the previous two steps.
If it prompts the "-bash: lsof: command not found" error, you need to install lsof:
CentOS: yum install -y lsof
Ubuntu: sudo apt-get install -y lsof
Use the command "ll /proc/PID/exe" to view the exe file associated with the suspicious process. Make sure to replace the PID with the PID number of the suspicious process obtained in the previous two steps. If you detect any suspicious script file, then your Linux server is probably hacked.
Use the command "iftop -n -P" to monitor the current network traffic.
If it prompts the "-bash: iftop: command not found" error, you need to install iftop first:
CentOS: yum install -y iftop
Ubuntu: sudo apt-get install -y iftop
The first column shows the localhost, => and <= indicates the traffic is incoming and outgoing respectively. Some are followed by the remote host addresses.
The last column presents the bandwidth used by each connection.
TX: send traffic
RX: receive traffic
TOTAL: total traffic
Cum: Total traffic from running iftop to the current time
peak: peak flow
For more information about the command "iftop", please access https://www.unixmen.com/iftop-a-network-bandwidth-monitoring-tool-for-linux/
Check the listening and active ports by running the command "netstat -la".
Hackers may place cron scheduled tasks in /etc/crontab, which will run malicious commands regularly. Use the following command to view the scheduled tasks that the current user is running:
crontab -l
View scheduled tasks of other users:
crontab -u username -l
To view the daily, hourly, weekly and monthly cron jobs, use the following command:
ls -la /etc/cron.hourly ls -la /etc/cron.daily ls -la /etc/cron.weekly ls -la /etc/cron.monthly
Edit cron jobs:
crontab -e service crond restart
Rootkit is one of the most dangerous threats to devices. It may result in a system re-installation or even a forced hardware replacement. There is a simple command which can help us to detect the most known rootkits, the command "chkrootkit"(check rootkits).
First, we need to install chkrootkit. On CentOS, run the following commands:
cd ~ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvf chkrootkit.tar.gz cd chkrootkit-* make sense ./chkrootkit
On Ubuntu, run the following commands:
# apt-get update # apt install chkrootkit -y # chkrootkit