What To Do If You Think Your Linux Server Was Hacked

There are a number of things you can do if you think your Linux box was hacked. A common myth is to simply and quickly reinstall the OS, however that is the exact opposite of what you want to do, at least initially. What you want to do ASAP is take the box offline. Before you do that, you have an option, you can get some data on what’s running and what IPs are currently connected. For example by running these commands: lsof, netstat -anpe, ps aux. If you are already logged in, it would be a good idea to run those, if you are not logged in you may want to just pull the plug on the machine. This is one case where you want to pull the plug, or if its on a remote rebooter turn off that rebooter port, rather than running halt or shutdown from the command line. Now if you do decide to run the commands to see whats running, you should send the output to another server, for example by using netcat. You should always have an unblocked outgoing port, to be used for netcat and then further secure that, by adding an ACL to only allow traffic to your netcat server on that port. In order to preserve a compromised system, you don’t want to write any new data to the drive. You also don’t want to remove anything at this point, even if you see files you think were placed by a hacker.

Read more at SecureHosting

Comments are closed.