Home / Security / Hacking / Investigate if your linux server has been hacked or not

Investigate if your linux server has been hacked or not

We’re a lot to face intrusion attemps in our IS. There can be many interests for attackers, for example data theft, using your computing power … Most of the Hackers takes precaution while performing illegal activities and always try to hide themselves from being caught. Once the system is compromised hacker always install some backdoor on compromised system to maintain access. Today we will show on how we can check if your linux server is hacked or Not?

Users & Shells

/etc/passwd & /etc/shells

You can check that you don’t have new unknow user on your server

Local user information is stored in the /etc/passwd file. Each line in this file represents login information for one user

cat /etc/passwd

Each line in the file has seven fields delimited by colons that contain the following information:

source : landoflinux

You can also only display user who can use a shell :

cat /etc/passwd | grep /bin/bash

The /etc/shells is a Linux text file which contains the full pathnames of valid login shells.

cat /etc/shells

Curent Logged users

Check who is currently logged into your server. It’s not uncommom to find a logged in attacker …


You’ll have some details da :


Last logged users

Step 2 : last let you see who was logged into the server. It go back till the server installation. lastb let you see who tried to logged into the server (lastb = failed logon)



Listening ports

An Hacker can install a backdoor on your server. This backdoor will expose a TCP or an UDP port on internet, so the hacker will keep an access to the machine.

We can use command “netstat -lntup”. This command will list out all network connections in our system.

netstat -lntup

Network Traffic Monitoring

You can use iftop to monitor your network traffic in real time. It’ll show you the source / destination & the traffic.


iftop isn’t installed by default. You can follow this howto if you want to install it : iftop – A Real Time Linux Network Bandwidth Monitoring Tool

Network cards & routes

The traffic can be redirected by an attacker and network cards can be modified (added, deleted … .). You can check the network cards with the command ip

ip a

To check your routes, and verify no routes were added, you can use the command ip route

ip route

SSH attempt connection

You can parse your logs, to check the SSH connection attempt. Each attempt is recorded into /var/log/auth.log for DEB, or /var/log/secure for Centos/Redhat

I sugget you this article : How to Find All Failed SSH login Attempts in Linux if you want more details.

Command history

Linux stores the commands in history, which we use in the terminal. By issuing history command we can see the list of commands executed by user in the terminal.

Other usefull commands :

tail -n 200 ~/.bash_history | more

cat ~/.bash_history | more

cat /home/USER_YOU_WANT_TO_VIEW/.bash_history

tail -n 200 ~/.bash_history | more

I suggest you to keep your history out of the .bash_history file … any hacker can delete it. You can use for example recent2, whish will store the bash history in a sqlite db, or even better, you can log your bash_history to an ELK stack. I’ll do a small post about it :).

Recently modified files

If you are under attack, some files will likely be modified on your system. You can list them with the very powerful find tool.

A file in Linux contains three timestamps:

  • atime: access time or Last access time
  • mtime: modify time or Last modification time
  • ctime: change time or Last change time

Here is an example, to find only files that was modified less than 2 Days :

find /etc /var -mtime -2

if you want more details & more examples about the find command, I suggest you the article of 2daygeek

I sugget you to check the following folders more in details :

  • /tmp
  • /root/.ssh/
  • /home/other-users/.ssh/


Look at the top cpu-use processes. Hackers with root level access typically use as much server resources as possible to hack other servers, send email spam, or mine for cryptocurrency.

We can use the command top, but I prefer to use htop which give you more possibilites

Screenshot of htop

If you don’t recognize a process, try lsof -p 678 or strace -p 678 (replacing “678” with the actual process ID number). Lsof will show all the files run by a process (super useful).

Strace is used to trace the system calls and signals. which will interpret and records the system calls made by the process. We use this command for debugging and troubleshooting in linux operating system.


It’s a good start to check if your server was compromised, but it’s not enough, you can imagine it, but it’s possible to erase these traces and be almost invisible.

I suggest you :

  • to set up the right security on your servers
  • to have an automatic monitoring & log collection system to be warned in the event of attempted intrusions.

About Alexandre Nogard

Check Also

Forcepoint : Deploy the SMC on AWS | Part III

Learn how to deploy the Forcepoint SMC & Log Server on AWS behind a NGFW Firewall with a VPC, in a public & private subnet and an Elastic IP

Forcepoint : Deploy the SMC on AWS | Part II

In the first Howto Forcepoint : Deploy the SMC on AWS | Part I, we …

Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good …

Leave a Reply

Your email address will not be published. Required fields are marked *