Determine if your Linux computer or Server is hacked

Determine if your Linux computer or server is hacked

Advice from a Hacker” How do you determine whether your computer or server has been hacked. If you suspected this, this article certainly applies to you. But I also discuss several great commands that every Linux user or “Hacker” should know. And I show you various options. Some of these commands will also work for a Mac and Windows, so it’s a good idea to take a look if only for the tips you might want to use.


Keep calm and don’t panic if you have been hacked

“If this is possible”

If you have found something, do not delete anything or make any changes yet. Just classify everything. Do not access a file with cat or strings, catalog the files and save that for later. Once you start removing things, you can no longer investigate how deeply they have penetrated. Don’t be misled and just stay calm. Just do some investigation and research.

Take a good look at the attacker, you may find an IP address or a trace that has been left behind. This can only make the research more fun. Try to find out as much as possible about the attacker. If you have all the data then you can look to delete it safely.

Obviously, it is urgent if you are very duped and a lot of money is involved, but then hire a team of specialized Ethical Hackers or Cybersecurity Experts. If you have a business that is always the best you can do.


“What hackers do is figure out technology and experiment with it in ways many people never imagined. They also have a strong desire to share this information with others and to explain it to people whose only qualification may be the desire to learn.”


Show a listing of last logged in users


w or who

The first thing you should look for is who is currently logged into your computer. It is not uncommon to find the attacker actually logged into the server and working on it.


w or who linux command | Determine if your Linux computer or server has been hacked

Use the command last

Show a listing of last logged in users. The history with this command goes all the way back to the start of the setup of the computer or server. (You can also immediately determine how long you have this Linux distro).


last

last -h

Usage:
 last [options] [<username>...] [<tty>...]

Show a listing of last logged in users.

Options:
 -<number>            how many lines to show
 -a, --hostlast       display hostnames in the last column
 -d, --dns            translate the IP number back into a hostname
 -f, --file <file>    use a specific file instead of /var/log/wtmp
 -F, --fulltimes      print full login and logout times and dates
 -i, --ip             display IP numbers in numbers-and-dots notation
 -n, --limit <number> how many lines to show
 -R, --nohostname     don't display the hostname field
 -s, --since <time>   display the lines since the specified time
 -t, --until <time>   display the lines until the specified time
 -p, --present <time> display who were present at the specified time
 -w, --fullnames      display full user and domain names
 -x, --system         display system shutdown entries and run level changes
     --time-format <format>  show timestamps in the specified <format>:
                               notime|short|full|iso

 -h, --help           display this help
 -V, --version        display version

last Show a listing of last logged in users Linux

Last command by a user

In case someone gets access to the computer or server “They” probably sent some command through SSH. The following command will show the last 200 lines of commands for the current user. The 200 I use in this example is just a number. You can use cat instead of tail to read all the logs.


tail -n 200 ~/.bash_history | more

cat ~/.bash_history | more

Of course, you can also open an editor (Like vim or nano) and save the output. So that you can notice any changes at a later time. Check also command from other users that you might have on your computer. /home/username/


sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history

System files that have changed recently.

With this command, you can see what has happened recently. The “-2” means 2 days, i.e. this shows me all files modified in the last 2 days.


sudo find /etc /var -mtime -2

Now if you haven’t installed any new software on your server for a while then this command will run and produce very little output. Here in this picture I just did a new upgrade, so there is a lot to see.


Determine if your Linux computer or server has been hacked sudo find /etc /var -mtime -2

Verify the current connections from your computer and or server


Netstat


netstat --help
usage: netstat [-vWeenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }

        -r, --route              display routing table
        -i, --interfaces         display interface table
        -g, --groups             display multicast group memberships
        -s, --statistics         display networking statistics (like SNMP)
        -M, --masquerade         display masqueraded connections

        -v, --verbose            be verbose
        -W, --wide               don't truncate IP addresses
        -n, --numeric            don't resolve names
        --numeric-hosts          don't resolve host names
        --numeric-ports          don't resolve port names
        --numeric-users          don't resolve user names
        -N, --symbolic           resolve hardware names
        -e, --extend             display other/more information
        -p, --programs           display PID/Program name for sockets
        -o, --timers             display timers
        -c, --continuous         continuous listing

        -l, --listening          display listening server sockets
        -a, --all                display all sockets (default: connected)
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB
        -Z, --context            display SELinux security context for sockets

  <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
           {-x|--unix} --ax25 --ipx --netrom
  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) 
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) 
    x25 (CCITT X.25) 

If you want more information about netstat, you can use the man (manual) page


man netstat

man netstat

Often an attacker will install a program that doesn’t do anything except listen on the network port for instructions. You should look for any process that is listed as in the LISTEN or ESTABLISHED status as these processes are either waiting for a connection (LISTEN) or have a connection open (ESTABLISHED). If you don’t recognize these processes use “strace” or “lsof” (below an example) to try to see what they are doing.

This command will show you 2 parts, the first is “Active Internet connections (w/o servers)” and the second is “Active UNIX domain sockets (w/o servers)

Check both carefully because if you got a malicious script running somewhere and this script is trying to sending spam mail or try to attach other servers you can easily find here.


netstat | more

netstat | more hackingpassion.com  | Determine if your Linux computer or server has been hacked

netstat | more Active Internet connections Determine if your Linux computer or server has been hacked

Also on Windows is Netstat to use. Open your Command Prompt and type:


netstat | more

windows netstat more

Below I show an example of how to use the command sudo netstat -atnp | grep ESTA used. The first image without having anything open, the second image when I opened about 15 tabs in Chrome.

I must say that these commands have always been useful in the past, for example when you spoke to someone on Telegram, you could see the IP addresses of the people you spoke to. (also from bots). This IP address leak is now closed.


sudo netstat -atnp | grep ESTA

sudo netstat -atnp | grep ESTA

When entered correctly, this command will return a descending list of which IPs are connected to your (server) “I use this command often for my computer” and how many connections each one has. Looking at your results, you will see connections listed ranging anywhere from 1 to about 50 connections per IP. This can be quite common for normal traffic (server). If however, you see some IPs with 100+ connections, this is something to scrutinize.

Included in the list, you may see known IPs, one or more of the server’s own IPs, or even your own personal IP with many connections.


netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r

netstat -ntu|awk

lsof

The command lsof will list all networked processes. With the following options I use them:


lsof -i

lsof -i

strace

strace is a powerful command-line tool for debugging and troubleshooting. It captures and records all system calls made by a process and the signals received by the process.

If strace is not pre-installed on your Linux system, run the appropriate command below for your distribution, to install it.


sudo apt install strace	        Debian/Ubuntu

yum install strace		RHEL/CentOS

dnf install strace		Fedora 22+

pacman -S strace                Arch-based

man strace

man strace
Determine if your Linux computer or server has been hacked

strace ls

strace -d -p <PID Number>

strace ls

Using ps

The ps (process status) command is one of the most frequently used commands in Linux. Usually it is used to get the more and detailed information about a specific process or all processes. For example it is used to know whether a particular process is running or not, who is running what process in system, which process is using higher memory or CPU, how long a process is running, etc.

Use the “man ps” for more info.


ps aux

a = show processes for all users
u = display the process’s user/owner
x = also show processes not attached to a terminal


ps aux

Check the running processes with TOP

The top command is a quick way to see what processes are consuming resources. top comes pre-installed on every Linux distribution. top it is interactive, and you can browse through the list of processes, kill a process, and so on. As you might have already guessed, you simply need to type this in to launch top.

You can use the arrow keys and Page Up/Down keys to browse through the list. If you want to quit, simply press “q”.


top

top linux proces

Check the running processes with HTOP

htop is an interactive process viewer and system monitor. It’s one of my favorite linux tools that I use regularly to monitor system resources. If you take top and put it on steroids, then you get htop.

htop has an awesome visual interface that you can also interact with using your keyboard. When you first launch htop, you’ll be greeted with a colorful interface showing a list of all processes running on the system. These are normally ordered by the amount of CPU usage, ordered from highest to lowest. It also shows the status of CPU usage, physical and swap memory.


Kill a Process Without Exiting From htop – Press F9 or k

To kill a process, Select the process that needs to be killed from the list, and press F9 or k, which will display the “Send signal” menu that lists all the available signals that you can send to the command.


htop

Install NTop on Windows

NTop is an Htop-like system-monitor with Vi-emulation for Windows.


Because using Task Manager is not cool enough.


First, you have to open in the search bar PowerShell and run it as administrator. Now we going to install chocolatey


Get-ExecutionPolicy

Set-ExecutionPolicy AllSigned

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

install chocolat on windows

choco -?

Now that it is installed, you can install NTop


choco install ntop.portable

install ntop windows

Using NTop for Windows


ntop

ntop windows

Video NTop on windows

In this video, I show you how to install NTop on Windows. The last part of the video shows how to use KILL “k” and shows you nstat | more.

If you like this tutorial, then don’t forget to subscribe to the YouTube channel.
Subscribe



Check SSH attempt connections

Check the SSH logs to understand if somebody is trying to get access to the server, or computer.
You can check the access log to the server ( SSH ) in this way.

This command will show you the log from the last 300 lines of all the attempts to get into the ssh server “failed or authorized” with important information such as the username was trying to get access.

Tip: If you need to read backward the log you need to increase the number of lines to 1000 or more, depending on the server use because of this logfile store all access to the server ( FTP, SSH, Webmin, and other… )

If you are using a Debian distribution based


tail -n 300 /var/log/auth.log

tail -n 300 /var/log/auth.log | grep sshd 

If you are using a Centos/RedHat distribution based


tail -n 300 /var/log/secure

tail -n 300 /var/log/secure | grep ‘sshd’ 

You can use the top command to see what happens on your own PC. The numbers are adjustable.


Check SSH attempt connections

Open ports

Which ports do you have open? you can see this very well with nmap. A simple nmap scan will do for an initial overview.


nmap localhost

Kernel data structures

The proc filesystem is a pseudo-filesystem which provides an interface to kernel data structures. It is commonly mounted at /proc. Read the man page for more info. man proc


ls /proc/*/exe -la
or
sudo ls /proc/*/exe -la

ls /proc/*/exe -la

Common attack points

These are all the common unsecured places where the hacker intrudes into your Linux machine


ls /tmp -la

ls /dev/shm -la

ls /var/tmp -la

Common attack points

Crontab scheduled jobs

Another way is to check the cronjobs. Maybe a malicious script or application could be seen here.


“The crontab is a list of commands that runs on a regular schedule. Crontab stands for “cron table ” because it uses the job scheduler cron to execute tasks.”


A cronjob can be running from /etc/crontab file. To view it run the following less command:


less /etc/crontab

Determine if your Linux computer or server has been hacked

How to view /etc/crontab on Linux


cd /etc/

ls -l

Determine if your Linux computer or server has been hacked

View Software Specific Cronjobs


cd /etc/cron.d/

ls -l

cat filename

cd /etc/cron.d/
ls -l

Listing users cron jobs when using systemd timers

Systemd comes with cron system called systemd.timer. This is another option that you can use on systemd based Linux distro. Use the systemctl command as follows to list cron jobs in Linux


systemctl list-timers

Listing users cron jobs when using systemd timers

Conclusion

In this article, I showed you some useful commands and tools where you can determine whether “your Linux computer or server is hacked” You can also use tools such as Wireshark, Snort, and many other tools. But more about that in another article.


IMPORTANT THINGS TO REMEMBER

  • This article was written for educational purposes and pentest only.
  • The author can not be held responsible for damages caused by the use of these resources.
  • You will not misuse the information to gain unauthorized access.
  • The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Just remember, Performing any hacks without written permission is illegal ..!

Read also the Disclaimer

All the techniques provided in the tutorials on the hackingpassion.com, YouTube channel, and on the website hackingpassion.com are meant for educational purposes only.

If you are using any of those techniques for illegal purposes, hackingpassion.com can’t be held responsible for possible lawful consequences.

My goal is to educate people and increase awareness by exposing methods used by real black-hat hackers and show how to secure systems from these hackers.


Finally

If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do it using the below comment form.


Bulls Eye
My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ..." I ♥ open-source and Linux"
error: Content is protected !!