Getting a server hacked creates an emergency situation with frantic efforts to restore backups and fetch logs and files to identify the cause of security breach. But what if your server is hacked and you never know of it? It is highly possible that a hacker has managed to sneak into your server without you being noticing and no significant change has occurred since then. I shall discuss some of the methods and precautions you should adopt as a constant practice to detect the sign of any server hack.
- Normally in a server hack, logs do not work. If there are no log files, there is very little chance that you can identify how the attack affected your server. Check out for /etc/syslog.conf file which gets replaced.
- Hackers who access your site once usually leave backdoor to access your site again. They tamper with your user accounts and may possible create new user as well. Check your user accounts list to see if there is a user account you never created. Also check the password of existing accounts for any recent change.
- You can also check if an account you created yourself has been misused for any purpose. View the recent logins page for the suspected user and you can find any abnormal behavior in the login time.
- This file gets removed normally in the aftermath of an attack /var/log/wtmp. It allows you to see who works on the PC. When removed, you are unable to have the record of PC logins.
- Look for traces in log files and tools to give you a clue about the intruder in your server. As mentioned earlier, /var/logs/ directory always possible contains traces of the wrong doings of the hacker.
- In case of infected scripts, rollback to the previous good working condition from your backups. Check out for MySQL injections, header injections, etc.
- There are some very useful software to detect such changes and behavior. Tripwire is one such program which checks files for any possible alteration. Another good one is chkrootkit which protects you from hidden attacks from rootkits. Rootkits are a potential danger for your server sending information from within to any outside network. Yolinux is also an excellent tool for discovering system hacks.
- These files are quite often deleted in a server hack. Files /etc/shadow, /etc/passwd. Some services are replaced by others as ssh, sshd, sftp-server, scp.
- System software and configuration files normally get attacked in the first place for causing system wide disturbances. Inspect these files including php.ini for any unintended modification.
These are only a few tips and tricks and not necessarily a solution for everyone. Remember that complete cleansing of your server is possible only after re-installation of you Operating System.