Determine whether your Linux server or Computer is hacked !
How do you determine whether your computer or server has been hacked ? If you suspected this, this article certainly applies to you. But I also discuss several great commands that every user or “Hacker” should know. And I show you various options. Some of these commands will also work for a Mac and Windows, so it’s a good idea to take a look if only for the tips you might want to use.
First of all keep calm and don't panic if you have been hacked
If you have found something wrong in your server or in your Computer, do not delete anything or make any further changes yet. Just classify everything. Do not access a file with cat or strings,just catalog the files and save that for later. Once you start removing things, you can no longer investigate how deeply they have penetrated. Don’t be misled and just stay calm. Just do some sort of investigations and research.
Take a good look at the attacker, you may find an IP address or a trace that has been left behind. This can only make the research more fun. Try to find out as much as possible about the attacker as you can. If you have all the data then you can look to delete it safely.
Obviously, it is urgent if you are very duped and a lot of money is involved, but then hire a team of specialized Ethical Hackers or Cyber-security Experts. If you have a business that is always the best you can do.
Listing of last logged in your Server
'w' or 'Who'
The first thing you should look for is who is currently logged into your server or into your computer. It is not uncommon to find the attacker actually logged into the server and working on it.
Use Command 'last -h'
logged in users. The history with this command goes all the way back to the start of the setup of the computer or server. (You can also immediately determine how long you have this Linux distro).
last -h
Usage:
last [options] [<username>...] [<tty>...]
Show a listing of last logged in users.
Options:
-<number> how many lines to show
-a, --hostlast display hostnames in the last column
-d, --dns translate the IP number back into a hostname
-f, --file <file> use a specific file instead of /var/log/wtmp
-F, --fulltimes print full login and logout times and dates
-i, --ip display IP numbers in numbers-and-dots notation
-n, --limit <number> how many lines to show
-R, --nohostname don't display the hostname field
-s, --since <time> display the lines since the specified time
-t, --until <time> display the lines until the specified time
-p, --present <time> display who were present at the specified time
-w, --fullnames display full user and domain names
-x, --system display system shutdown entries and run level changes
--time-format <format> show timestamps in the specified <format>:
notime|short|full|iso
-h, --help display this help
-V, --version display version 
Last Command by the user
In case someone gets access to the computer or server “They” probably sent some command through SSH The following command will show the last 200 lines of commands for the current user. The 200 I use in this example is just a number. You can use cat instead of tail to read all the logs.
tail -n 200 ~/.bash_history | more
cat ~/.bash_history | more
Of course, you can also open an editor (Like vim or nano) and save the output. So that you can notice any changes at a later time. Check also command from other users that you might have on your computer. /home/username/
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
See system files that have changed recently.
With this command, you can see what has happened recently. The “-2” means 2 days, i.e. this shows me all files modified in the last 2 days.
sudo find /etc /var -mtime -2
Now if you haven’t installed any new software on your server for a while then this command will run and produce very little output. Here in this picture I just did a new upgrade, so there is a lot to see.
Verify the current connections from your server or computer
'Netstat'
netstat --help
usage: netstat [-vWeenNcCF] [<Af>] -r netstat {-V|--version|-h|--help}
netstat [-vWnNcaeol] [<Socket> ...]
netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }
-r, --route display routing table
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-W, --wide don't truncate IP addresses
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-o, --timers display timers
-c, --continuous continuous listing
-l, --listening display listening server sockets
-a, --all display all sockets (default: connected)
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
-Z, --context display SELinux security context for sockets
<Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
{-x|--unix} --ax25 --ipx --netrom
<AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
If you want more information about netstat, you can use the man (manual) page
man netstat
man netstat
Often an attacker will install a program that doesn’t do anything except listen on the network port for instructions. You should look for any process that is listed as in the LISTEN or ESTABLISHED status as these processes are either waiting for a connection (LISTEN) or have a connection open (ESTABLISHED). If you don’t recognize these processes use “strace” or “lsof” (below an example) to try to see what they are doing.
This command will show you 2 parts, the first is “Active Internet connections (w/o servers)” and the second is “Active UNIX domain sockets (w/o servers)”
Check both carefully because if you got a malicious script running somewhere and this script is trying to sending spam mail or try to attach other servers you can easily find here.
Below I show an example of how to use the command sudo netstat -atnp | grep ESTA used. The first image without having anything open, the second image when I opened about 15 tabs in Chrome.
I must say that these commands have always been useful in the past, for example when you spoke to someone on Telegram, you could see the IP addresses of the people you spoke to. (also from bots). This IP address leak is now closed.
sudo netstat -atnp | grep ESTA
When entered correctly, this command will return a descending list of which IPs are connected to your (server) “I use this command often for my computer” and how many connections each one has. Looking at your results, you will see connections listed ranging anywhere from 1 to about 50 connections per IP. This can be quite common for normal traffic (server). If however, you see some IPs with 100+ connections, this is something to scrutinize.
Included in the list, you may see known IPs, one or more of the server’s own IPs, or even your own personal IP with many connections.
strace is a powerful command-line tool for debugging and troubleshooting. It captures and records all system calls made by a process and the signals received by the process.This command will show you 2 parts, the first is “Active Internet connections (w/o servers)” and the second is “Active UNIX domain sockets (w/o servers)”
Check both carefully because if you got a malicious script running somewhere and this script is trying to sending spam mail or try to attach other servers you can easily find here.
Below I show an example of how to use the command sudo netstat -atnp | grep ESTA used. The first image without having anything open, the second image when I opened about 15 tabs in Chrome.
I must say that these commands have always been useful in the past, for example when you spoke to someone on Telegram, you could see the IP addresses of the people you spoke to. (also from bots). This IP address leak is now closed.
sudo netstat -atnp | grep ESTA
When entered correctly, this command will return a descending list of which IPs are connected to your (server) “I use this command often for my computer” and how many connections each one has. Looking at your results, you will see connections listed ranging anywhere from 1 to about 50 connections per IP. This can be quite common for normal traffic (server). If however, you see some IPs with 100+ connections, this is something to scrutinize.
Included in the list, you may see known IPs, one or more of the server’s own IPs, or even your own personal IP with many connections.
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r
lsof
The command lsof will list all networked processes. With the following options I use them:
lsof -i
strace
If strace is not pre-installed on your Linux system, run the appropriate command below for your distribution, to install it.
sudo apt install strace Debian/Ubuntu
yum install strace RHEL/CentOS
dnf install strace Fedora 22+
pacman -S strace Arch-based
man strace
Using ps
The ps (process status) command is one of the most frequently used commands in Linux. Usually it is used to get the more and detailed information about a specific process or all processes. For example it is used to know whether a particular process is running or not, who is running what process in system, which process is using higher memory or CPU, how long a process is running, etc.
use the "man ps" for more information.
ps aux
a= show processes for all users
u= display the process's user/owner
x= also show processes not attached to terminal
Check SSH attempts connections
Check the SSH logs to understand if somebody is trying to get access to the server, or computer.You can check the access log to the server ( SSH ) in this way.This command will show you the log from the last 300 lines of all the attempts to get into the ssh server “failed or authorized” with important information such as the username was trying to get access.
If you need to read backward the log you need to increase the number of lines to 1000 or more, depending on the server use because of this logfile store all access to the server ( FTP, SSH, Webmin, and other… )
If you are using a Debian distribution based
tail -n 300 /var/log/auth.log tail -n 300 /var/log/auth.log | grep sshd
If you are using a Centos/RedHat distribution based
tail -n 300 /var/log/secure tail -n 300 /var/log/secure | grep ‘sshd’
You can use the top command to see what happens on your own PC. The numbers are adjustable.
Common Attack points
These are all the common unsecured places where the hacker intrudes into your Linux machine
ls /tmp -la
ls /dev/shm -la
ls /var/tmp -la CONCLUSION
In this article, I showed you some useful commands and tools where you can determine whether “your Linux computer or server is hacked” You can also use tools such as Wireshark, Snort, and many other tools. But more about that in another article.
IMPORTANT THINGS TO REMEMBER
- This article was written for educational purposes and pentest only.
- The author can not be held responsible for damages caused by the use of these resources.
- You will not misuse the information to gain unauthorized access.
- The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
If you are using any of those techniques for illegal purposes, myelectronicsfun.blogspot.com can’t be held responsible for possible lawful consequences.
Comments
Post a Comment