Information Resources & Technology (IRT)

Find Out if Your Unix Server is Compromised

If you're running your own server, here are some things to keep regular track of. Any unusual activity might indicate that your server has been compromised.

Logs

You should monitor your logs both with an automated product, and manually, on occasion. This will give you early warning that something may be wrong.

File Changes

You can use file hashes for applications and system files, to see whether files have been changed at all. You can also use backups to compare files to a previous state. If using a backup to compare files, use a slightly older one if you can, as the server may have been compromised earlier than you think.

Includes

The files may not be on your server. They may be script includes such as <script src="http://baddomain.com/s.js" /> or iframe type tags. Also examine images, PDFs and Flash (SWF) or video files. It is a fairly common trick to embed links in files of a different content type.

Unusual file dates, sizes and permissions

If permissions have been set to 777 (execute, read, and write permissions for user, group and whole world), that may be a sign of a break-in. Similarly, if files seem to have changed at strange times, or changed in size.

Check cron jobs for unusual jobs

Someone compromising a system will often leave a back door to get back in again and again. Cron is a very popular way to do this if they managed to get that far.

Missing files

The absence of files may be a sign that someone has cleaned up after themselves.

Updated or queried database records

Check database records that may be queried or updated. Malicious code or data could be injected in the database, not the PHP.

Search engines

If you have a specific bad actor in mind, use a search engine to look for clues. Use directives like site: e.g. site:yoursitehere.com baddomain.com see if you get any hits.

 

What to do if compromised:

If you think your server's been compromised, it qualifies as a security incident, and the University should be notified. Follow the steps outlined here: Reporting a Security Incident.

Stanford Medicine Resources:

Footer Links: