How to find out if my server is compromised?

security linux forensics

I have a linux VPS and I received a complaint that my server was scanning on port 22 some other network. How do I find out if it was compromised or not?


I answered a question earlier today that has recommendations in this area:

Linux backdoors I should be wary of

If you suspect that it may have been one of your users and your default shell is bash, you can grep through the .bash_history. For example:

grep nmap /home/*/.bash_history

It's notable that your users can modify the history unless you've introduced methods to make it more difficult.

Related

SetEnvIfExpr with response header
Dedicated Server emails ending up in Junk
Kernel Errors Present: EXT4-fs
Is it possible to create a VPN link between AZURE VNET and AWS VPC?
How to redirect Https CONNECT Request with Squid Explicit Proxy
How to block loadbalancer forwarding to a specific path?
php5-fpm configuration pm - (node) Process manager settings nodes in more layman terms
Run shell script from Apache conf or at Apache (re)start
How to set up multitenant Route53 subdomains with parent domain not on Route53?
Unable to see Scheduled Task even with access rights to SYSTEM32\Tasks
CentOS 5.5 remote kickstart installation stalls at "Starting install process." How to debug?
HP RAID array - hpacucli