How to analyze compromised server?

Created:

2017-01-15 21:55:19 UTC

Modified:

2017-08-11 14:16:03 UTC

0

Was this article helpful?


Have more questions?

Submit a request

How to analyze compromised server?

Applicable to:

  • Plesk for Linux

Question

How to analyze compromised Linux server?

Answer

Here are several troubleshooting methods for a analyzing compromised server.

- Check /var/log/messages ( /var/log/syslog ) , /var/log/secure logs to find if there were a lot of failed attempts to login for root user from particular IPs

- Check list of the recently logged users with last command and check if there is the same IP address from suspicious ones found on previous step.

- Check world writable directories that Apache would commonly write its temp files to, check for odd hidden files. Locations such as:

ls -al /tmp
ls -al /var/tmp
ls -al /dev/shm

- Check for suspicious activity in root's history:

history
cat /root/.bash_history

- Check for odd scheduled tasks for root user and system users:

# crontab -l
# cat /var/spool/cron/*

- Check for PID's listening for incoming connections

netstat -natp : Looks for any suspicious connections running on odd ports
ps -wauxxef : look for suspicious files like bash running under www context
lsof <pid> : helps to determine where the pid above is running from

- Check Apache logs for some suspicious downloading:

cd /var/log/httpd
for i in `ls * |grep access`; do echo $i && grep wget $i; done
for i in `ls * |grep access`; do echo $i && grep curl $i; done

- Install Plesk Watchdog extensions and check the server using rkhunter tool:

#/usr/local/psa/admin/sbin/modules/watchdog/rkhunter -c

After that inspect its log file /var/log/rkhunter.log

Use sysdig tool to analyze processes, network, and I/O. Example of using such tool for fishing for hacking activity explained here

If the server is a source of a mail spam

Add the follow into custom php.ini settings for domain in Home > Domains > example.com > PHP Settings > Additional PHP Directives .

mail.add_x_header = On
mail.log = syslog

These settings can be added for all domains via assigned service plan.

With such settings enabled the strings like as the following one will be logged in /var/log/syslog(or /var/log/messages) for every sent e-mail by script:

[11-Jan-2017 15:08:17 Asia/Krasnoyarsk] mail() on [/var/www/vhosts/example.com/httpdocs/testmailer.php:10]: To: user@example1.com -- Headers: From:user2@example.com

It will help to find .php scripts which sends mail and check if this is source of spam.

Have more questions? Submit a request
Please sign in to leave a comment.