Search for traces of the attack
in the era of globalization and technological progress, it often happen that Linux computer will be selected as the target of an attack by black hackers. Although the Linux operating system (right configuration required) very safe, but if the system is not properly maintained by the installation of updates and/or incorrectly configured, it can happen that hackers misuse the system for their own mostly illegal aims.
Unfortunately, I could feel those attack on my own skin. It is very important to understand how the attacker got an acces to the system. For this reason, you will need to analyse the logs after the attack. But I must mention here that really good hackers will hide their tracks and it is damned difficult to detect them. Anyway, if you realize that you own system works somehow strange (high traffic externally and internally, hard drives are working constantly, resulting in the slowdown of the computer) it would be the best to isolate temporary your system and examine it.
The first focal points are the log files from /var/log and /root. But you should not forget that you need root privileges to see these log files. It is very important, to analyse the messages of Syslog. For example, you will find these by the iptables blocked connections or who and when logged in the system. The system logs such applications how Samba, Telnet or SSH.
With help of the /etc/passwd / file you can see all existing users in the system. You can verify that an attacker could create an additional user to log in the system later (backdoor). In the file /root/bash_history you will find all commands entered by root in the console. In addition, some hackers try to delete their tracks by deleting log files completely or by editing them and removing their actions from the log files. So you have to make sure whether the log files exist or whether they have large time gaps.
With help of commands such as “who” or “last” you are able to check who is logged into the system, or worked at the system at last.
As a small tip, I would recommend the programm “logwatch”. This software can combine logs and send them to your e-mail address