Home / Security / Hacking / Investigate if your linux server has been hacked or not

Investigate if your linux server has been hacked or not

We’re a lot to face intrusion attemps in our IS. There can be many interests for attackers, for example data theft, using your computing power … Most of the Hackers takes precaution while performing illegal activities and always try to hide themselves from being caught. Once the system is compromised hacker always install some backdoor on compromised system to maintain access. Today we will show on how we can check if your linux server is hacked or Not?

Users & Shells

/etc/passwd & /etc/shells

You can check that you don’t have new unknow user on your server

Local user information is stored in the /etc/passwd file. Each line in this file represents login information for one user

Each line in the file has seven fields delimited by colons that contain the following information:

source : landoflinux

You can also only display user who can use a shell :

The /etc/shells is a Linux text file which contains the full pathnames of valid login shells.

Curent Logged users

Check who is currently logged into your server. It’s not uncommom to find a logged in attacker …

You’ll have some details da :

Last logged users

Step 2 : last let you see who was logged into the server. It go back till the server installation. lastb let you see who tried to logged into the server (lastb = failed logon)


Listening ports

An Hacker can install a backdoor on your server. This backdoor will expose a TCP or an UDP port on internet, so the hacker will keep an access to the machine.

We can use command “netstat -lntup”. This command will list out all network connections in our system.

Network Traffic Monitoring

You can use iftop to monitor your network traffic in real time. It’ll show you the source / destination & the traffic.

iftop isn’t installed by default. You can follow this howto if you want to install it : iftop – A Real Time Linux Network Bandwidth Monitoring Tool

Network cards & routes

The traffic can be redirected by an attacker and network cards can be modified (added, deleted … .). You can check the network cards with the command ip

To check your routes, and verify no routes were added, you can use the command ip route

SSH attempt connection

You can parse your logs, to check the SSH connection attempt. Each attempt is recorded into /var/log/auth.log for DEB, or /var/log/secure for Centos/Redhat

I sugget you this article : How to Find All Failed SSH login Attempts in Linux if you want more details.


Command history

Linux stores the commands in history, which we use in the terminal. By issuing history command we can see the list of commands executed by user in the terminal.

Other usefull commands :

tail -n 200 ~/.bash_history | more

cat ~/.bash_history | more

cat /home/USER_YOU_WANT_TO_VIEW/.bash_history

I suggest you to keep your history out of the .bash_history file … any hacker can delete it. You can use for example recent2, whish will store the bash history in a sqlite db, or even better, you can log your bash_history to an ELK stack. I’ll do a small post about it :).

Recently modified files

If you are under attack, some files will likely be modified on your system. You can list them with the very powerful find tool.

A file in Linux contains three timestamps:

  • atime: access time or Last access time
  • mtime: modify time or Last modification time
  • ctime: change time or Last change time

Here is an example, to find only files that was modified less than 2 Days :

if you want more details & more examples about the find command, I suggest you the article of 2daygeek

I sugget you to check the following folders more in details :

  • /tmp
  • /root/.ssh/
  • /home/other-users/.ssh/


Look at the top cpu-use processes. Hackers with root level access typically use as much server resources as possible to hack other servers, send email spam, or mine for cryptocurrency.

We can use the command top, but I prefer to use htop which give you more possibilites

Screenshot of htop

If you don’t recognize a process, try lsof -p 678 or strace -p 678 (replacing “678” with the actual process ID number). Lsof will show all the files run by a process (super useful).

Strace is used to trace the system calls and signals. which will interpret and records the system calls made by the process. We use this command for debugging and troubleshooting in linux operating system.


It’s a good start to check if your server was compromised, but it’s not enough, you can imagine it, but it’s possible to erase these traces and be almost invisible.

I suggest you :

  • to set up the right security on your servers
  • to have an automatic monitoring & log collection system to be warned in the event of attempted intrusions.


About Alexandre Nogard

Check Also

Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good …

Hash Cracking with AWS EC2 P3 & Hashcat

Password cracking is a mandatory activity when you perform a pentest. Having access to a …

Introduction to Forcepoint API & SMC-Python

A quick introduction to Forcepoint API, with the SMC-Python which is a Python based library …

Leave a Reply

Your email address will not be published. Required fields are marked *