We’re a lot to face intrusion attemps in our IS. There can be many interests for attackers, for example data theft, using your computing power … Most of the Hackers takes precaution while performing illegal activities and always try to hide themselves from being caught. Once the system is compromised hacker always install some backdoor on compromised system to maintain access. Today we will show on how we can check if your linux server is hacked or Not?
Users & Shells
/etc/passwd & /etc/shells
You can check that you don’t have new unknow user on your server
Local user information is stored in the /etc/passwd file. Each line in this file represents login information for one user
cat /etc/passwd
Each line in the file has seven fields delimited by colons that contain the following information:
You can also only display user who can use a shell :
cat /etc/passwd | grep /bin/bash
The /etc/shells is a Linux text file which contains the full pathnames of valid login shells.
cat /etc/shells
Curent Logged users
Check who is currently logged into your server. It’s not uncommom to find a logged in attacker …
w
You’ll have some details da :
who
Last logged users
Step 2 : last let you see who was logged into the server. It go back till the server installation. lastb let you see who tried to logged into the server (lastb = failed logon)
last
lastb
Network
Listening ports
An Hacker can install a backdoor on your server. This backdoor will expose a TCP or an UDP port on internet, so the hacker will keep an access to the machine.
We can use command “netstat -lntup”. This command will list out all network connections in our system.
netstat -lntup
Network Traffic Monitoring
You can use iftop to monitor your network traffic in real time. It’ll show you the source / destination & the traffic.
iftop
iftop isn’t installed by default. You can follow this howto if you want to install it : iftop – A Real Time Linux Network Bandwidth Monitoring Tool
Network cards & routes
The traffic can be redirected by an attacker and network cards can be modified (added, deleted … .). You can check the network cards with the command ip
ip a
To check your routes, and verify no routes were added, you can use the command ip route
ip route
SSH attempt connection
You can parse your logs, to check the SSH connection attempt. Each attempt is recorded into /var/log/auth.log for DEB, or /var/log/secure for Centos/Redhat
I sugget you this article : How to Find All Failed SSH login Attempts in Linux if you want more details.
Command history
Linux stores the commands in history, which we use in the terminal. By issuing history command we can see the list of commands executed by user in the terminal.
Other usefull commands :
tail -n 200 ~/.bash_history | more
cat ~/.bash_history | more
cat /home/USER_YOU_WANT_TO_VIEW/.bash_history
tail -n 200 ~/.bash_history | more
I suggest you to keep your history out of the .bash_history file … any hacker can delete it. You can use for example recent2, whish will store the bash history in a sqlite db, or even better, you can log your bash_history to an ELK stack. I’ll do a small post about it :).
Recently modified files
If you are under attack, some files will likely be modified on your system. You can list them with the very powerful find tool.
A file in Linux contains three timestamps:
- atime: access time or Last access time
- mtime: modify time or Last modification time
- ctime: change time or Last change time
Here is an example, to find only files that was modified less than 2 Days :
find /etc /var -mtime -2
if you want more details & more examples about the find command, I suggest you the article of 2daygeek
I sugget you to check the following folders more in details :
- /tmp
- /root/.ssh/
- /home/other-users/.ssh/
Processes
Look at the top cpu-use processes. Hackers with root level access typically use as much server resources as possible to hack other servers, send email spam, or mine for cryptocurrency.
We can use the command top, but I prefer to use htop which give you more possibilites
If you don’t recognize a process, try lsof -p 678 or strace -p 678 (replacing “678” with the actual process ID number). Lsof will show all the files run by a process (super useful).
Strace is used to trace the system calls and signals. which will interpret and records the system calls made by the process. We use this command for debugging and troubleshooting in linux operating system.
Conclusion
It’s a good start to check if your server was compromised, but it’s not enough, you can imagine it, but it’s possible to erase these traces and be almost invisible.
I suggest you :
- to set up the right security on your servers
- to have an automatic monitoring & log collection system to be warned in the event of attempted intrusions.
