Sometimes actions performed by the attacker on the server may affect its functionality. So its always advisable to check server’s security to avoid attack on the server. Always check the resources of server which might be affected.

You can check the CPU usage by firing top command and look for the application or scripts that consume your CPU

For strange processes you can check with ps -awux command.

Check /tmp directory and /var/tmp directory for scripts and binaries copied there.

The attacker might use the server to host IRC bot like psybnc or eggdrop which connects to port 6667 when a server is compromised . You can if any of your applications connect to that port with sockstat:

#sockstat | grep 6667

If there’s not much traffic on your server you could use netstat command to see if suspect connections are made.

#netstat -a

Install and run regularly an rootkit finder application (for e.g /usr/ports/security/rkhunter).

Look for the other open ports that you run other than the ones you use for your running services.

Bookmark This Post: