Home » Linux » How To Check if Your Linux Server Is Hacked

How To Check if Your Linux Server Is Hacked

software engineer monitoring servers

Cyberattackers are attracted to Linux SSH servers in particular. Because they provide remote access to the command-line, they are vital for managing and controlling server operation.

Remote access is a valuable entry point to those looking to compromise or exploit critical services.

To deter hackers, server administrators can update, patch, and use fewer ports, but how do you know if an enemy is lurking at the gate?

How to Spot a Hacker

Hackers are not always sophisticated. The majority of hacks are automated by botnets and “script kids” using pre-existing malicious codes.

These attacks, which range from denial of service (DoS) attacks to commandeering servers for the distribution of spam or cryptocurrency mining highlight the diversity of cyberthreats.

The activities described above are a combination of sophisticated schemes and opportunistic exploits of known vulnerabilities. They significantly drain system resources.


Signs of compromise such as delayed email, disrupted streaming or a noticeably slowdown on your server are indicators of possible unauthorized access. You can act quickly if you recognize these signals as soon as possible.

You can easily verify the security on your server by taking simple steps.  Here are some steps you can take to ensure that your server remains secure.

Step 1. Step 1.

It is possible that a hacker has still signed in to your server. To check this, connect to your Linux Server via SSH. Run:

The w

This simple command will display other connected users along with their login times. This will show you that no one else is logged in (as shown).

If you run the “w” command, you can see the IP address of other connected users via the ‘FROM’ field. You can use Whois The command will tell you where the IP is originally registered.

Who is 8.8.8.8?

You can also see information about the users logged in and any processes they’re currently running:

Who -u

Step 2. Step 2.

Check the login history on your server to see if there are any unknown users currently logged in. This can be done by:

Last but not least,

This shell command displays the IP address, username and login time of all previous users.

check previous logins

You can run the command again with the username of the user to see only their login history.:

Last gremlin

You can also use the ‘whois’ command on the login IP address once again to try to trace their location.

If the user has been unauthorized you can terminate any SSH sessions or processes that are associated with their username. pkillYou can, for example:

sudo kill -U gremlin

If you are running the Last but not least, command, you’ll notice the final line of output refers to ‘wtmp’, e.g.:

“wtmp starts Wed Feb 7 164708 2024”.

Pay attention to both the date and time. If the date and time are recent, it’s possible that a hacker deleted them. /var/log/wtmpThis will help to hide their tracks.

Step 3. Step 3.

You should look at the commands that were run if you find unrecognized user. This list is saved in ~/.bash_historyYou can run Terminal to view the.

Cat /.bash_history

check previous commands

Normally, you will see a lengthy list of commands. Be on the lookout for common commands like Install, ормулированиеOr wgetThis can be used to install malicious software.

Terminal may tell you that there is no such directory or file. This could be because a hacker has deleted it to cover up the commands they have run.

Step 4. Step 4.

Hackers who breach servers often start system-intensive processes such as installing software designed to mine cryptocurrency.

The Check to see if it is true can be done using the Top command is a Linux utility which provides a dynamic and real-time overview of a system’s performance.

check the most intensive processes

If you find yourself overwhelmed by the information, start by focusing on the “command column” which shows the names of the active processes. Note the PID (process number) of any process you do not recognize. Once you are done, press Ctrl+C to exit.

You can test an unrecognized program by running its name in a search engine. Google “fish process” for instance, reveals that this process is just an easy-to-use command line shell.

You can also find out what files have been accessed using a specific process. lsof For example, the following information can be included with the ID of the process:

lsof 772

Step 5. Step 5.

The hacker will try to avoid detection by ensuring that the installed program does not hog up too many resources. Consequently, their processes might not show up in the list that is generated by the Top command. Use: to double-check the status of all processes.

ps auxf

This command organises running processes logically. Columns are self explanatory. The process ID (PID), CPU and memory usage is listed again as a percentage.

check all system processes

Check the “Commands” column once more. Use a search engine if you do not recognize any processes. lsof As in the previous step, identify them. To exit, press Ctrl+C.

Step 6. Step 6.

Hackers can sometimes install backdoor software that is only listening for instructions. They consume little CPU/system resource, so they are easy to overlook.

List all processes listening for network connection by:

sudo lsof -i

check network processes

You can check at the end of the entry if it is in Listen mode. This means that the process will be waiting for an internet connection. If you do not recognize the name of a particular process, use the methods described in Step 4 to learn more about it.

Step 7. Terminate Unauthorized Processes

You can immediately terminate a suspicious application using the Kill Command as well as PID:

Sudo kill -9 – 2046

terminate unauthorized processes

If you want to terminate multiple processes launched by a single program, use the command. killall:

Sudo Killall Fish

If you’ve been hacked

You can shut down your server remotely if you believe it has been hacked. This is done by running the following command.

Shutdown -h Now

If you are renting server space through a third party provider, you might also be able shutdown the server via the dashboard of the provider’s website. You can then wipe the server and reinstall it as you wish.

Cybersecurity experts are available to consult

It is important that, if you suspect your server may have been compromised, particularly if your company handles sensitive information, you seek out the help of cybersecurity professionals.

Computer security professionals can perform a thorough security audit. They will identify the extent of the breach and suggest measures that not only correct the current vulnerabilities, but also reinforce your defenses to future attacks.

Remember, hacking can have subtle signs, but the consequences are huge. Engagement with cybersecurity professionals not only helps to effectively address immediate security issues, but it also helps establish a robust framework that will safeguard your digital asset in the long run.

Also Read: What To Do if Your Linux Server Has Been Hacked | March 22, 2024