I have a linux VPS and I received a complaint that my server was scanning on port 22 some other network. How do I find out if it was compromised or not?
Asked
Active
Viewed 516 times
3 Answers
1
I answered a question earlier today that has recommendations in this area:
Linux backdoors I should be wary of
If you suspect that it may have been one of your users and your default shell is bash, you can grep through the .bash_history
. For example:
grep nmap /home/*/.bash_history
It's notable that your users can modify the history unless you've introduced methods to make it more difficult.
0
Well, if you WERE scanning.... what is the doubt?
![](../../users/profiles/37059.webp)
TomTom
- 50,857
- 7
- 52
- 134
-
I'm not scanning dude. That is the problem lol – Mar 09 '10 at 22:15
-
How you know? Take a measurement from outside (firewall, router in front, wahtever). – TomTom Mar 10 '10 at 06:13
0
You have to think outside the box. As in, you can't really trust what's inside the box.
For instance, get your provider to monitor outgoing traffic. Traffic you can't explain => assume the server has been compromised.
Get an image of the hard drive (extracted using trusted binaries) and run forensics.
![](../../users/profiles/5848.webp)
alex
- 1,329
- 6
- 9