How to find out if your Linux machine has been hacked ?

August 26, 2007
It is very rare that your Linux PC which you use as a Desktop will get compromised especially if you do not run any services like a web server, mail server and so on. More over many modern Linux distributions like for example Ubuntu, targeted at the end user ship with all the ports closed by default. And others like PCLinuxOS bundles with it a robust firewall. So it makes the job of an intruder all the more harder to crack into your machine.

But suppose after all the precautions you take, some resourceful cracker succeeds in finding a loophole and hacks into your machine, how do you detect that your machine has been compromised in the first place?

Lars has written a step-by-step process by which he ascertains that a Linux server run by his friend has been compromised by an intruder. His findings throw light on what you can expect and the steps to take when you are suspicious of getting your machine rooted.

The server was running a fairly updated Ubuntu 6.06 LTS. He goes on to conclude that the compromise could have been caused by :
  1. An exploit unknown to the public.
  2. A user accessing this server from an already compromised host. The attacker could then sniff the the password.
Read this very interesting article which throws some light on the actions of a hacker.