How do I determine if my Linux server may have been hacked?

01/08/2002

Problem: How do I determine if my Linux server may have been hacked?

Solution: What you should try is checking the binaries for an indication of a hack. Although it is not 100% accurate. You can be reasonably sure that the server has been hacked if any of the following produces output.

Telnet to the server as admin and su - to root. Type these commands:
rpm -V procps rpm -V fileutils rpm -V net-tools rpm -V util-linux

NOTE:util-linux will complain about:
S.5....T c /etc/pam.d/chfn
S.5....T c /etc/pam.d/chsh
S.5....T c /etc/pam.d/login
M...... /usr/bin/newgrp
M...... /usr/bin/write

If any other output should occur, such as issues with /bin or /usr/bin, our advice is to perform an OS restore to assure the security of your server. Be sure the restore files does not contain the hack. Please consult with a security expert if an OS Restore is not an option.

Top of page

Add to Favorites