How to determine if Linux server may have been hacked?

Export to PDF | Export to DOC

Problem: How to determine if Linux server may have been hacked?

Solution: What you should try is checking the binaries for an indication of a hack. Although it is not 100% accurate, you can be reasonably sure that the server has been hacked if any of the following produces output.

Telnet to the server as admin and su – to root. Type these commands:
rpm -V procps
rpm -V fileutils
rpm -V net-tools
rpm -V util-linux

NOTE:util-linux will complain about:
S.5….T c /etc/pam.d/chfn
S.5….T c /etc/pam.d/chsh
S.5….T c /etc/pam.d/login
M…… /usr/bin/newgrp
M…… /usr/bin/write

If any other output should occur, such as issues with /bin or /usr/bin, our advice is to perform an OS restore to assure the security of your server. Be sure the restore files does not contain the hack. Please consult with a security expert if an OS Restore is not an option.

Leave a Reply

Your email address will not be published. Required fields are marked *