• Dedicated Web Hosting
• Contact

• Home
• Domain Name
• Web Page Design
• Website SEO
• Directories

Dedicated Server Article

Detection Checklist

Under this article you will come close to the points about how to confirm the intrude into your server that is if you are suspecting that your server has been hacked by someone then what measures you can take to check for any interloper.

 

Checklist:

If you are suspecting that your server is hacked by someone or there is some interloper then you require some confirmation and research the incident and assure yourself that your server is alright. If you find that your server has been hacked then you can completely wash out the memory of your server and rebuilt it. It is like a nightmare to you that you that some body gets into your server and using it for illegal activities.

 

If you are not confirmed that your server has been hacked then you should follow some easy and quick steps to find the reality.

 

Is This Going On With Your System

 

•  Check all the essential log files that are in your server.

•  Test out the binary system.

•  Check that the files or any file is running by “cron” jobs and as “at”.

•  Check all setuid and setgid files.

•  Check that is there any sniffer packet on the server.

•  Confirm that there should not be any unauthorized service.

•  Also confirm the network and system configuration.

•  Check /etc/passwd file.

•  Verify that there should not be any hidden file on your server.

•  Ask your server provider or data center to find any similar unusual file or any activity.

 

Make sure that any hacker should not have captured the binary system so check it. Interlopers also change programs on the operating system like Unix and make them legal or honest. You should verify these files if you are worried: telnet, netstat, login, find, ifconfig, su, Is, df and binary referenced in/etc./inted.conf.Also confirm network programs and system programs and also if there any shared object libraries on the server.

 

You can also compare the versions that are on your server from your initial installation media or from any machine that is clean or not interloped. If you are still not satisfied then you can visit this website for getting mix up values of the latest and good version: http://www.knowngoods.org/

 

Also careful with your backups as interlopers can hide their presence in the backup, they assume that your system will be restored from good backup.

 

Here, the best method for you is to wipe your system and reinstall it with an image. And also get the place from where the interloper came in. And once again when your system has been installed, patch all your applications on it. You can also get some valuable information on the site of CERT coordination center: http://www.cert.org and if you need some guide for your compromised system then you can get it on: http://www.cert.org/tech_tips/root_compromise.html.

 

And if you still can not find the problem on your system after trying the above explained methods then you can hire the security specialists as a professional hacker will failure you by using logcleaners and some other tools , you are not aware of.