How Would You Know If Your Server Was Comprimised
Today I have noted slightly slower responses in finding and loading my main 2 sites.
How can I find out if anything has gone wrong with the server ? Or indeed if Ive been compromised.
3 Replies
/var/log/
message
syslog
auth.log
use the last command to view if other ips logged in via SSH
check ps -aef for unknown processes
Run chkrootkit/rkhunter
Look at website logfiles
Check with a tool like top/htop for processes that use a lot of memory/CPU
I don't even know if my server is clean. I assume it is until I see/hear otherwise.
:/
I recommend a remote file system checker like OSSEC.