Your server Linux was it hacked? Here's how to find out

brief history hacking
brief history hacking

Dernière mise à jour: 15 mai 2024

Your server Linux was it hacked? If you think someone has managed to break in, it is very important to react quickly. Checking files that have been changed recently can give you clues about what the hacker did and help you fix the situation.

This guide will show you how to find files that a hacker has modified on a server Linux. We'll walk you through simple commands and tools to see which files have been modified recently.

Identify files modified by a hacker on a server Linux

There is an effective method to quickly identify files that have been modified suspiciously on your server Linux.

You can start by examining all files modified in a specific directory in the last two days, using the command find.

find / directory -type f -mtime -2 -print | more
However, this command requires examining each directory individually. For a more global search across the entire server, you can use the following command:
find / -not -path '/sys*' -not -path '/dev*' -not -path '/proc*' -mmin -30
This command excludes the /sys, /proc, and /dev directories, and searches for files modified in the last 30 minutes.

To go further in analyzing suspicious files, you can also use options like -user . Indeed, this option allows you to filter files modified by a specific user. You can also use  -Perm to identify permission changes. This of course could indicate an intrusion.

It is also recommended to integrate these checks into scripts regularly executed by cron jobs.

Finally, to better understand and react to detected changes, install an advanced monitoring tool like auditd, which can provide detailed tracking of system file activities.

Don't forget that the best way to support our platform is to share our tutorials! 😉