What To Do If You Think Your Linux Server Was Hacked

There are a number of things you can do if you think your Linux box was hacked. A common myth is to simply and quickly reinstall the OS, however that is the exact opposite of what you want to do, at least initially. What you want to do ASAP is take the box offline. Before you do that, you have an option, you can get some data on what's running and what IPs are currently connected. For example by running these commands: lsof, netstat -anpe, ps aux. If you are already logged in, it would be a good idea to run those, if you are not logged in you may want to just pull the plug on the machine.

This is one case where you want to pull the plug, or if its on a remote rebooter turn off that rebooter port, rather than running halt or shutdown from the command line. Now if you do decide to run the commands to see whats running, you should send the output to another server, for example by using netcat. You should always have an unblocked outgoing port, to be used for netcat and then further secure that, by adding an ACL to only allow traffic to your netcat server on that port. In order to preserve a compromised system, you don't want to write any new data to the drive. You also don't want to remove anything at this point, even if you see files you think were placed by a hacker.

At this point you should notify your customers and anyone else who may have been affected that there may have been a security breach. Notify your hosting provider if appropriate, any security professionals you work with, and if you are meeting compliance, for example PCI compliance for credit cards, you will want to notify your merchant account provider and/or the payment card companies, such as Visa. Also notify law enforcement if appropriate. If needed, wait for information from the other parties on how you should proceed. Yes, this does mean taking the box offline, but its an important step.

Full Story