How To Tell If Your Server Has Been Compromised

26th October, 2016 by
The last few months have been almost non-stop with website after website suffering security breaches leading to customer details being released online. This week we’ll look at reasons why you may get hacked and clues to help you spot if your server has been hacked. First, we’ll look at what you are generally up against.

While there are a number of different types of hacker out there, they can be broadly split into two camps: skilled hackers and script kiddies. A skilled hacker is likely to be a formidable opponent and, if they are breaking into your server, are very good at hiding their tracks. Script kiddies, on the other hand, are generally not very skilled and rely on using scripts and programs created by other people. The tools that script kiddies use are often created by skilled hackers to help them compromise systems and will be automated and simplified in order to sell them on to other people. Script kiddies tend to be easier to spot as they attack your server as they tend to lack the required skills to hide their tracks.

Why Hackers? Why?

So why are they doing this?  Skilled hackers tend only to attack systems that will have a big payoff. These are often the people behind big data breaches and hacks of high profile targets. So unless you are yourself a high profile target a skilled hacker is likely only bothered about hacking your system because you are running something new or interesting for them to test their skills against. Script kiddies, on the other hand, tend to attack systems that are compatible with the hacking tools that they have to hand, though generally, they aren’t as interested with the contents of your server but only what they can use it for.

Common reasons for compromising a server when the attacker isn’t interested in the data on the server itself are to use the server to send spam, to take part in DDoS attacks, run a phishing site scam, mine bitcoins or to attack other servers.

How Do You Know If You’ve Been Attacked?

This brings us neatly on to detecting that the server has been hacked. While many tricks can be used to hide the hack, such as removing bash histories, creating hidden users and hiding processes from the process list, there are some things that will give a hack away. For a hack involving spamming the most obvious is the size of the mail queue on your server, keeping this monitored and watching for a large increase in its size should be a good indication of spamming taking place. Pretty much all hack uses will see some increase in network traffic. DDoS attacking will see the biggest increase. Monitoring the bandwidth usage of the server for unusual changes would help detect disturbances. Next we have CPU usage, when a server is being employed for nefarious purposes you’ll often see the CPU load increase above its normal levels, sometimes this may be without any processes seemingly causing that load, in which case there’s a good chance of a program running being hidden from the normal process tools.

Tools To Help Out

A number of tools involve modifying the standard application files or library files that the server uses to run. So you may find some applications failing with strange errors where other files they depend on to run may have been modified by hackers. So if a previously stable application starts crashing in a strange manner when you’ve made no changes to the server, someone else may have.

What Do You Do If You Find You’ve Been Hacked?

Well, it depends on the level of the hack if they’ve simply used a compromised WordPress addon to send spam or DDoS then tidying up the site and updating WordPress may resolve it. Though if they’ve gained shell access to the server and especially managed a root shell then you should trust nothing on the server. The best thing is usually to reload the server’s operating system and recover your files from your last backup from when the server was known to be clean, as any files after the compromise may be used to gain access after the server is restored.

(Visited 129 times, 1 visits today)