check for hackers hidden files

From WebHostingNeeds.com
Jump to: navigation, search

Hackers use special names to for their files to hidden it from server admins.

The first command looks for any "files" in /dev . It is common for rootkits to hide files in /dev.

To get list of files in /dev run

find /dev -type f

On centos server, you will see

[[email protected] ~]# find /dev -type f
/dev/.udev/db/[email protected]@device-mapper
/dev/.udev/db/[email protected]@[email protected]
/dev/.udev/db/[email protected]
/dev/.udev/db/[email protected][email protected]
/dev/.udev/db/[email protected][email protected]
/dev/.udev/db/[email protected][email protected]
/dev/.udev/db/[email protected][email protected]
/dev/.udev/db/[email protected]
/dev/.udev/db/[email protected]@sda2
/dev/.udev/db/[email protected]@sda4
/dev/.udev/db/[email protected]@sda1
/dev/.udev/db/[email protected][email protected]
/dev/.udev/db/[email protected][email protected]
/dev/.udev/db/[email protected]@sda3
/dev/.udev/db/[email protected]@sda6
/dev/.udev/db/[email protected]@sdb1
/dev/.udev/db/[email protected]@sda5
/dev/.udev/db/[email protected]@sda7
/dev/.udev/db/[email protected]@sda8
/dev/.udev/db/[email protected]@[email protected]
/dev/.udev/db/[email protected]@[email protected]
/dev/.udev/db/[email protected]@[email protected]
/dev/.udev/db/[email protected]@[email protected]
/dev/.udev/db/[email protected]
/dev/.udev/db/[email protected]
/dev/.udev/db/[email protected]
/dev/.udev/db/[email protected]
/dev/.udev/db/[email protected]
/dev/.udev/db/[email protected]@mice
/dev/.udev/uevent_seqnum
[[email protected] ~]#

Hackers use /tmp folder to do his work as it have permission 777, so on most hacked servers, you will find hacker files in /tmp folder.

find /tmp -type f | less
find /var/tmp -type f | less

On tmp folder check for .pl, .cgi or similar file. Files starting with sess* is session files, you can ignore them, you may delete them if needed (sess* files are php session file, deleting them reset all sessions, that is users need to re login to scripts that use session).