- Plesk for Linux
How to analyze compromised Linux server?
Here are several troubleshooting methods for a analyzing compromised server.
logs to find if there were a lot of failed attempts to login for
user from particular IPs
- Check list of the recently logged users with
command and check if there is the same IP address from suspicious ones found on previous step.
- Check world writable directories that Apache would commonly write its temp files to, check for odd hidden files. Locations such as:
ls -al /tmp
ls -al /var/tmp
ls -al /dev/shm
- Check for suspicious activity in root's history:
- Check for odd scheduled tasks for root user and system users:
# crontab -l
# cat /var/spool/cron/*
- Check for PID's listening for incoming connections
netstat -natp : Looks for any suspicious connections running on odd ports
ps -wauxxef : look for suspicious files like bash running under www context
lsof <pid> : helps to determine where the pid above is running from
- Check Apache logs for some suspicious downloading:
for i in `ls * |grep access`; do echo $i && grep wget $i; done
for i in `ls * |grep access`; do echo $i && grep curl $i; done
- Install Plesk Watchdog extensions and check the server using
After that inspect its log file
If the server is a source of a mail spam
Add the follow into custom
settings for domain in
Home > Domains > example.com > PHP Settings > Additional PHP Directives
mail.add_x_header = On mail.log = syslog
These settings can be added for all domains via assigned service plan.
With such settings enabled the strings like as the following one will be logged in /var/log/syslog(or /var/log/messages) for every sent e-mail by script:
[11-Jan-2017 15:08:17 Asia/Krasnoyarsk] mail() on [/var/www/vhosts/example.com/httpdocs/testmailer.php:10]: To: email@example.com -- Headers: From:firstname.lastname@example.org
It will help to find
scripts which sends mail and check if this is source of spam.