Intruder Detection Checklist
If you suspect that your server got hacked it is necessary to research the incident and to make sure that your server is clean. If indeed your server got hacked we recommend to completely wipe-out the server and to rebuild it. Nothing is worse than having a backdoor wide open and someone you don’t know spying on your or using your server for illegal activities.
What needs to be done if you suspect your server to be hacked? Here is a quick checklist and some steps you can do to find out what is going on.
Look for signs that your System has been compromised
1) Examine all necessary log files
2) Check the system binaries
3) Examine any files run by ‘cron’ jobs and as ‘at’.
4) Look for setuid and setgid Files
5) Check for packet sniffers on the server
6) Check for unauthorized services
7) Check system and network configuration
8) Examine /etc/passwd file
9) Look everywhere on the server for unusual or hidden files
10) Check with your server provider or data center to find out if they have noticed similar unusual activities
Check all your system binaries to make sure that they have not been altered by the attacker. We have seen intruders change programs on UNIX/Linux systems and make them look legit. Files to inspect: login, su, telnet, netstat, find, ifconfig, ls, df, du, libc, sync, and any binaries referenced in /etc/inetd.conf. Also check on other critical network and system programs and any shared object libraries on the server.
Compare the versions on your server with known good copies, such as those from your initial installation media or from a comparable machine that is known to be clean. You can also use this website to get the hash values of good versions: http://www.knowngoods.org/
Be careful with trusting your backups. Intruders are known to hide their ‘presents’ in the backup assuming that you will restore your system from a ‘good’ backup.
Again – we recommend to wipe out the system and reinstall from scratch or an image. You will also have to check how the intruder got in. So, patch your system and all applications once the OS has been reinstalled.
The CERT Coordination center has valuable information on their website. Make sure you spend some time there to get help:
They also have a guide to recover from a compromised system. This guide can be found here:
A good hacker will still beat you by using logcleaners and other tools. But this quick checklist is a beginning. If you cannot find the problem on the machine, you should consider hiring a security specialist to have your machine inspected beyond the steps described here.