How to check if server is hacked

Jump to: navigation, search
  • run "w" and see current logged-in users.
  • run pstree and check for any wierd processes.
  • scan using rkhunter
  • run netstat -pau and check for any stange open ports


1. Execute the following 3 command lines as root by copy/paste. This will harden files commonly abused to upload exploits and list possible exploits. This script only searches for possible exploits owned by the webserver username, but it is possible that exploits could have been uploaded by a current or previous user account to the searched directories. So, you still need to manually investigate all files in the searched directories even if the script returns no results. Possible exploits found should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the "xplts" file generated by these commands for later reference.


echo -e "\tHARDEN"|tee xplts;for x in `which wget curl fetch lynx links`;do chown -vv 0:0 $x|tee -a xplts;chmod -vv 0550 $x|tee -a xplts;done;echo -e "\n\tSEARCH"|tee -a xplts;for x in "/tmp /var/tmp /dev/shm /usr/local/apache/proxy /var/spool /usr/games";do ls -loAFR $x 2>&-|grep -E "^/| apache | nobody | unknown | www | web | htdocs "|grep -E "^/|^[bcdlsp-]|\.pl$"|grep -Ev "sess_|dos-"|tee -a xplts;done;echo -e "\n\tSUMMARY";echo -e "Block File: \t\t`grep -Ev "^/" xplts|grep -E "^b"|wc -l|tr -d ' '`";echo -e "Character File: \t`grep -Ev "^/" xplts|grep -E "^c"|wc -l|tr -d ' '`";echo -e "Directory: \t\t`grep -Ev "^/" xplts|grep -E "^d"|wc -l|tr -d ' '`";echo -e "Symbolic Link: \t\t`grep -Ev "^/" xplts|grep -E "^l"|wc -l|tr -d ' '`";echo -e "Socket Link: \t\t`grep -Ev "^/" xplts|grep -E "^s"|wc -l|tr -d ' '`";echo -e "FIFO: \t\t\t`grep -Ev "^/" xplts|grep -E "^p"|wc -l|tr -d ' '`";echo -e "Regular File: \t\t`grep -Ev "^/" xplts|grep -E "^-"|wc -l|tr -d ' '`"


2. You should also install and run rkhunter which is a scanning tool to ensure you for about 99.9% you're clean of rootkits, backdoors, and local exploits. If any rootkits, backdoors, or local exploits are found by rkhunter, you must investigate further and remove them or submit a reload ticket.

On BSD sytems:

cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c

On RedHat, Fedora, CentOS systems:

yum -y install rkhunter; rkhunter -c