menulogo
Hostingexpand_more
Solutionsexpand_more
Resourcesexpand_more
Data Center
Affiliate
Contact Usexpand_more
VPS HostingVPS HostingResources isolated, For websites and applicationsDedicated ServerDedicated ServerDedicated resources, Optimal performance, Bare metalGPU ServerGPU ServerUsed in deep learning, Android emulator, Gaming, etcCloud hostingCloud hostingWebsite data is distributed in the cloudWeb HostingWeb HostingStore and maintain files. Put website onlineDomain RegistrationDomain RegistrationChoose from .com, .name, .net, .org, .biz, .us and .infoSSL CertificateSSL CertificateSecure transmitted data over the internet
RDP ServerRDP ServerRemote Desktop Connection on WindowsVPN ServerVPN ServerSecure connection, protect your network trafficHA DatabaseHA DatabaseIncrease the service availability and data safetyNetwork Load BalancingNetwork Load BalancingDistributed algorithm to balance network trafficForex VPSForex VPSRun multiple trading terminals and platformsDatabase HostingDatabase HostingSQL, NoSQL, and NewSQL database server hostingKubernetes HostingKubernetes HostingFully Managed Kubernetes Clusters
BlogBlogLearn everything about server industryKnowledgeBaseKnowledgeBaseKnowledge Base articles on server operationsFAQsFAQsSummary of frequently asked questions
Live ChatLive ChatStart an instant online chat with our support teamTicketTicketSubmit us tickets for technical assistanceEmailEmailSend us emails for technical assistance

How to Check if a Linux Server is Hacked

Introduction

The following steps may help you find traces of hacking on your Linux server.

1 Monitor users’ activities

2 Check system process

3 Check the network traffic

4 Check cron jobs

5 Check Rootkits infections

1 Monitor users’ activities

1.1 Check the currently logged-in user

First, log in to your Linux server to view the currently logged-in user through the command "w". Then, go to https://www.iplocation.net/ to check the logged-in IP address. If there are any unfamiliar IPs, your server may be hacked.

Check the currently logged-in user
1.2 Check recently logged in users and IP information

Use the command "last -10" to view the information of users who have recently logged in to the system.

Check recently logged in users and IP information
1.3 Check the bash history

If you suspect a specific user of malicious activity, you can check the bash history. Log in as the user you would like to investigate and run the commands below.

Check the bash history

2 Check system process

The first step is to check if there are any unknown or suspicious processes.
2.1 Check processes with high CPU and memory usage

Use the command "top" to view the processes that occupy more than 30% of the CPU or memory. If it is not the process you are running, your Linux server may be implanted with malicious programs.

Check processes with high CPU and memory usage
2.2 Check all processes

View all process information through the command "ps -aux".

Check all processes
2.3 Check process-related files based on PID

Check the files opened by the process by the command "lsof -p PID". Please replace the PID with the PID number of the suspicious process obtained in the previous two steps.

If it prompts the "-bash: lsof: command not found" error, you need to install lsof:
CentOS: yum install -y lsof
Ubuntu: sudo apt-get install -y lsof

Check all processes
2.4 Check the exe file of suspicious process

Use the command "ll /proc/PID/exe" to view the exe file associated with the suspicious process. Make sure to replace the PID with the PID number of the suspicious process obtained in the previous two steps. If you detect any suspicious script file, then your Linux server is probably hacked.

Check the exe file of suspicious process

3 Check network traffic

If a hacker keeps something in your system for communication or sending messages, you can detect it by monitoring your traffic for unusual activity.
3.1 Check bandwidth usage

Use the command "iftop -n -P" to monitor the current network traffic.

If it prompts the "-bash: iftop: command not found" error, you need to install iftop first:
CentOS: yum install -y iftop
Ubuntu: sudo apt-get install -y iftop

Check bandwidth usage

The first column shows the localhost, => and <= indicates the traffic is incoming and outgoing respectively. Some are followed by the remote host addresses.
The last column presents the bandwidth used by each connection.
TX: send traffic
RX: receive traffic
TOTAL: total traffic
Cum: Total traffic from running iftop to the current time
peak: peak flow
For more information about the command "iftop", please access https://www.unixmen.com/iftop-a-network-bandwidth-monitoring-tool-for-linux/

3.2 Check listening and active ports

Check the listening and active ports by running the command "netstat -la".

Check listening and active ports

4 Check cron jobs

Hackers may place cron scheduled tasks in /etc/crontab, which will run malicious commands regularly. Use the following command to view the scheduled tasks that the current user is running:

crontab -l

View scheduled tasks of other users:

crontab -u username -l

To view the daily, hourly, weekly and monthly cron jobs, use the following command:

ls -la /etc/cron.hourly
ls -la /etc/cron.daily
ls -la /etc/cron.weekly
ls -la /etc/cron.monthly

Edit cron jobs:

crontab -e
service crond restart

5 Check Rootkits infections

Rootkit is one of the most dangerous threats to devices. It may result in a system re-installation or even a forced hardware replacement. There is a simple command which can help us to detect the most known rootkits, the command "chkrootkit"(check rootkits).

First, we need to install chkrootkit. On CentOS, run the following commands:

cd ~
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvf chkrootkit.tar.gz
cd chkrootkit-*
make sense
./chkrootkit

On Ubuntu, run the following commands:

# apt-get update
# apt install chkrootkit -y
# chkrootkit
Check Rootkits infections