1

I am wondering what the general steps are in retrospect for trying to find out how one ends up being hacked.

A couple of times I have had Linux servers that ended up being hacked. I noticed this in various ways. Last time just simply by seeing the CPU being stuck at 100% and then slowly backtracking from that executable until I found a script in /tmp that downloaded a Monero miner. Just recently a friend of mine got hacked as well; a reasonably well-patched Ubuntu 20.04. I found it impossible to get rid of the the self modifying "virus" that managed to recreate itself whenever it got killed under a new name, and I could not find a single trace of how it got there or what the exe actually did by examining logs in /var and looking around.

I'm pretty confident that none of the hacks got in using brute force logon attacks. The SSH was locked down to only allow known public keys. The last server did expose an Apache install on port 80, so that might be one likely entry point, given its history of buffer overflow bugs. But I have no idea how find out/verify what happened. I snapshot an infected system, but where to go from there?

oligofren
  • 111
  • 3
  • Does this answer your question? [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – nobody Aug 23 '21 at 08:17
  • You've asked a question with a library for an answer. There is no way to answer such a general question on a Q&A site. It's like asking "how do I program?" You've used the right tag, though. You want to look at "system forensics" and that will point you to the right section of the library. – schroeder Aug 23 '21 at 08:23

0 Answers0