How Would You Know If Your Server Was Comprimised

Hi Guys, Im relatively new to Linode. I paid a very helpful community member to help me get set up and things been running smoothly for 2 weeks now.

Today I have noted slightly slower responses in finding and loading my main 2 sites.

How can I find out if anything has gone wrong with the server ? Or indeed if Ive been compromised.

3 Replies

Logfiles mostly:

/var/log/

  • message

  • syslog

  • auth.log

use the last command to view if other ips logged in via SSH

check ps -aef for unknown processes

Run chkrootkit/rkhunter

Look at website logfiles

Check with a tool like top/htop for processes that use a lot of memory/CPU

When you start getting Linode staff members opening tickets to discuss your server sending out boatloads of spam. That's when you'll know.

I don't even know if my server is clean. I assume it is until I see/hear otherwise.

:/

Locally if a server is rooted it can be very hard to catch. You can run a local root checker, but it's not foolproof.

I recommend a remote file system checker like OSSEC.

http://www.ossec.net/main/

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct