Linux server got hacked? To do’s for beginners.

Linux hack

Just got email from server provided complaining about spamming from your server? CPU usages is higher than expected? Some process toke all your memory? Or OS acting weird?

Example snippets are relevant to Debian/Ubuntu, try look for command for different linux distribution.

Change password for both root and your user. Follow stackoverflow.

Check what changed in /etc and /var in last 2 days:

find /etc -mtime -2
find /var -mtime -2

If you haven’t changed it, somebody did. Decide what to do with that changes.

Install ClamAV:

sudo apt-get install clamav
sudo freshclam
sudo apt install clamav-daemon

Search for infected files:

sudo clamscan --max-filesize=3999M --max-scansize=3999M --exclude-dir=/sys/* -i -r /

Checks for signs of a rootkit:

Install chkrootkit:

sudo apt-get install chkrootkit

Run chkrootkit:

sudo chkrootkit

You might get some false positive, don’t panic. Google.

Security vulnerabilities comes with negligence, update your OS:

sudo apt-get update && time sudo apt-get dist-upgrade

Some great links that I found:
StackExchange – How do you know your server has been compromised?

Cheers!