I think my server is being hacked. What should I do? [duplicate]

linux hacking centos5

What makes you think that you are hacked? The logs show no indication to that.

They just show that someone tried to access some files that don't exist on your server.

And they show that you have a misconfigured webserver with a cgi module causing zombie processes and dying processes.


@Iain has commented that this was an automated scan, and I'm not sure off the top of my head if he's right or wrong, but I do think that it's worth being careful since nuking the site and rebuilding it is a tad bit laborious if this is just a scan.

First, do you have backups? If so you can try comparing your backup's /sbin and /bin and other directory's contents with your production environment to find changes.

Do you have file integrity checkers installed? It's useless after the fact if you've been hacked but if you haven't, consider installing a system like tripwire or samhain. Properly configured, they can email you alerts when files are altered or there's suspicious activity. (NOTE-this takes maintenance. When you do updates to the system, update their databases accordingly)

Check the system with chkrootkit and rkhunter.

Monitor your system for unusual network activity. Use programs like ntop; get statistics on your system's "normal" behavior so you know when something isn't right or should be looked into. Check for unusual open ports.

Scan your system with clamscan to see if that trips any ususual malware signs.

And if you don't have backups...start making them!

For the time being I'd google for similar behavior you see in the logs and see if others have posted about it and found it to be just a scan. If your system isn't acting funny and the malware scanning tools aren't finding anything you probably don't have to worry (although if it has been hacked, the paranoid response is to not trust your binaries...). If you installed through a distro that uses a packager, it may be possible to check your binaries against the packager to make sure everything matches...if the checksums match, you should be good.


I don't think you're being hacked, someone is just testing the locks.
I would block 72.46.146.130 at your firewall (or via a local firewall), and then go about checking your locks yourself (look around here and over on Security.SE for advice).

You can lift the firewall rule later at your leisure - You may also want to contact the abuse folks at VersaWeb (Contact info in the Whois for the IP) and report the incident if you're feeling particularly helpful/pedantic.

Related

Prevent chef recipe from executing previously executed action?
How to make sysctl network bridge settings persist after a reboot?
Heartbeat Pacemaker 3 node/ip failover
mod_security IP collection key not being set correctly
Use winexe to start a Windows process
ulimit not reflected for jenkins slave
Are there internet users connecting with HTTP/1.0?
Find command modified date in output
Aliased network interfaces and isc dhcp server
Percona: Got an error writing communication packets
User cannot access shared printer in Windows Server 2003
How do I avoid Lame DNS or other issues when switching between 3rd party DNS servers?