How to check your server for suspicious activity in Linux

If you have even a small hunch that your server has been compromized, it bears further investigation. In fact, it's good practice to periodically review your server even if you suspect nothing. But what should you be looking for? How can you tell what files have been modified, whether you have malicious software on your server, and which processes are problematic? This guide is designed to answer all of those questions.

Checking your recently modified files

Looking at the recently modified files list in Linux can be an excellent way of spotting suspicious changes to your server – provided you know what you're looking for. You can find a list of files using the find command, which we have an extensive guide on here. For this use case, though, the most useful syntax would be something like this:

find -type f -mtime -15 -ls

This will find all files that were modified in the last 15 days. You can naturally change this number to reflect a period that is more realistic for your use case. You can also use +15 for all files that were modified 15 days ago (for example, on March 5 if you run the command on March 20). This is useful if you suspect a compromize on a specific day.

Checking a specific folder is often useful too – for example, your log folder, to see if any have been modified or updated:

find /var/log/ -type f -mtime -15 -ls

To investigate further, you can then check the timestamp of a specific file using stat. For example:

stat /var/log/malware.sh
  File: malware.sh
  Size: 6               Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d      Inode: 1871        Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-03-10 08:13:10.903053851 +0000
Modify: 2023-03-10 08:13:10.903053851 +0000
Change: 2023-03-10 08:13:10.903053851 +0000
 Birth: 2023-02-10 08:13:10.903053851 +0000

You should be looking for anything that does not make sense – unusual permissions, dates of files that don't add up, and files (such as logs) that should be there but aren't.

Checking your log files

Most actions on your Linux server will be logged, which makes checking your log files one of the best ways to spot suspicious activity. However, you must be aware that a clever attacker will modify your log files to remove their activity. You can use the stat command to tell when a file was last modified, but be aware that this can be falsified too. Checking log files is not a foolproof way of spotting malicious activity, then, but it will help to catch low-hanging fruit – malware or actors who are not proficient enough to hide their activity.

Some of the logs you should check include:

  • /var/log/auth.log: Shows all authentication logs. This allows you to investigate failed login attempts password changes, etc. On RedHat or CentOS, this will instead be var/log/secure.
  • /var/log/faillog: A list of failed logins, useful for investigating brute force/login credential hacks.
  • /var/log/wtmp: A record of every login/out. Check whether someone was accessing the server at a time they shouldn't have been.
  • /var/log/apt: Logs when an application is installed using apt on Ubuntu machines. Useful for checking if any unsanctioned applications have been installed. On CenOS this will be /log/yum.
  • /var/log/syslog: Shows a log of activity data throughout the system, providing an overview of the general goings on. On CentOS/RHEL this will be /var/log/messages.

Provided the attacker has not covered their tracks, combing these logs should give you a good idea of whether something suspicious has occurred.

Checking for suspicious processes

Most servers are hacked for their resources, not their information. If your server is compromized, it's most commonly so that an attacker can use it in a botnet or for brute force attacks on other servers. To do this, the attacker (most likely via an automated tool) will establish several outbound connections and create an associated process.

By analysing our processes, we may be able to figure out if anything suspicious is going on. But, be aware – it's not uncommon for hackers to replace the tools you'll be using to investigate with hacked versions that won't give you accurate information. Remain skeptical if other signals are pointing to a server compromize.

First things first, check your active connections using netstat -an. This will show you all connections and their port numbers in a list.

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 193.149.189.216:38038   91.189.91.38:80         TIME_WAIT
tcp        0      0 193.149.189.216:22      81.229.38.48:60860      ESTABLISHED
tcp        0   1112 193.149.189.216:22      83.121.2.254:50537      ESTABLISHED
tcp        0      0 193.149.189.216:22      83.123.9.169:60272      ESTABLISHED
tcp        0      0 193.149.189.216:22      2.187.234.37:22363      ESTABLISHED
tcp        0     33 193.149.189.216:22      83.121.2.254:49256      LAST_ACK
tcp        0     33 193.149.189.216:22      5.216.59.94:51280       LAST_ACK

The entries above are quite normal looking. TCP traffic on ports commonly used by genuine processes. However, let's say we want to investigate what processes are making connections on a particular port.  We'll go with port 50537, as that's on our list:

lsof -i tcp:50537 -P -R

The lsof command (list running files) should return a list of which processes that are using this port, as well as their parent process.

COMMAND   PID PPID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    49728 3453 root    4u  IPv4 334132      0t0  TCP 64117a5178d79d0001fa80a7:22->81-229-38-48-no2744.tbcn.telia.com:50537 (ESTABLISHED)

We can find out which files the process is using by filtering by its PID:

lsof -p 49728
COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF   NODE NAME
sshd    49728 root  cwd    DIR                8,1     4096      2 /
sshd    49728 root  rtd    DIR                8,1     4096      2 /
sshd    49728 root  txt    REG                8,1   917192   2757 /usr/sbin/sshd
sshd    49728 root  mem    REG                8,1   309600  23258 /usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
sshd    49728 root  mem    REG                8,1    18424   3109 /usr/lib/x86_64-linux-gnu/security/pam_env.so
sshd    49728 root  mem    REG                8,1    26696   3120 /usr/lib/x86_64-linux-gnu/security/pam_limits.so
sshd    49728 root  mem    REG                8,1    18424   3124 /usr/lib/x86_64-linux-

This will be a long list, but it will tell you where the program is located. We can see here that ours started in /usr/sbin/sshd .

Dealing with the malicious program

If you believe it is malicious, you can kill it with kill 49728 (replace this with the right PID). You can then remove the file's execution rights with chmod -x /usr/sbin/httpd.

That should stop it running for now, but it's worth making sure that it, or another start-up command that will recreate it, isn't set to run whenever you boot your server. For this, we can use the usual crontab -l and remove entries coming from your suspect folder by using crontab -e and deleting its entry.

That (hopefully) deals with this particular malicious program. But there could easily be more, which is why it's usually safest to just rebuild your server entirely. Check common folders such as /etc and /tmp/ and try to root out other suspicious processes using the steps above.

Once you're done, update your software and server to ensure they're patched against the latest vulnerabilities.

Scanning for malicious software with RKHunter

You should never 100% rely on automated tools for security, but RKHunter or other anti-virus software can be a good supplement to manual checks. RKHunter helps you to identify whether your server has a rootkit by checking for common variants in common locations. It will also check for malware by checking running processes for suspicious files, identifying login backdoors, searching for suspicious directories and apache behavior, checking for suspicious network port usage and system start-up files, etc.

It's important to understand that passing the test doesn't necessarily mean that you don't have a rootkit or malware just that RKHunter couldn't find any. There is a possibility that a malicious process is interfering with RKHunter's output or that it simply does not have the capability to detect the malware you have. Still, it is a useful time-saving tool for identifying common security issues and can be used to run regular precautionary scans.

First, install it:

sudo apt update
sudo apt install rkhunter -y

Now let's perform some configuration. Open the config file using nano:

sudo nano /etc/rkhunter.conf

Look for WEB_CMD="/bin/false" manually or by using the find function via Ctrl + W. Comment out the line by adding a # in front of it.

#WEB_CMD="/bin/false"

Find UPDATE_MIRRORS and set it to option 1:

UPDATE_MIRRORS=1

This will make RKHunter check the mirrors file for updates when we use the --update option later.

Also set MIRRORS_MODE to 0. This will allow RKHunter to use any mirror when looking for updates, rather than just local ones.

MIRRORS_MODE=0

Press Ctrl + O followed by Ctrl + X to save and exit. Double-check that you haven't made any typos by running sudo rkhunter -C. No output means your config file has passed the test.

Now you can update RKHunter's data files and run a check:

sudo rkhunter --update
sudo rkhunter --check

RKHunter will provide a helpful list of what it has checked for and whether it has found any issues. Once it has finished, you can view the full log by typing:

sudo nano /var/log/rkhunter.log

Should RKHunter find any suspicious files, use the process outlined above to remove its execution rights and perform other necessary actions, such as using rm to delete it.

Closing words

That about covers the basics of checking for malicious server activity in Linux, but there is obviously a lot more to it. If you are in doubt and using your VPS for important or sensitive tasks, pay a Linux security professional.

For additional help, BitLaunch customers can reach out to our support via live chat. Our support agents cannot diagnose the security issues of every customer's server, but they may be able to point you in the right direction.