Search Our Database

Identify potential attack in Linux server

Last updated on Sep 26,2024 |

under

by Louis

Introduction

If your server starts to respond slowly, or if a command unexpectedly consumes a large amount of resources, it could be a sign of an attack. This guide will help you identify if your server is under attack by following a few key steps.

Prerequisite

Root SSH access to the server.
Basic knowledge of Linux command-line interface.

Step-by-step guide

Step 1: SSH into the server

If you need guidance on how to SSH into your server, refer to this article.

Step 2: Check the server’s current condition

Run the following command to view the current processes and their resource usage:

top

Important Note: You can use this command to check the server’s load and identify which processes are causing high resource consumption.

Look for any suspicious processes that might be consuming an unusual amount of CPU or memory. For example, if you see a command like Q47Bs0 at the top of the list with high CPU usage, it could indicate malicious activity.

Step 3: Identify the process and its source

Once you’ve identified a suspicious process, note its Process ID (PID). You can then inspect the process further by running:

lsof -p <PID>

For example:

lsof -p 30971

This command will show the open files and network connections for the process, helping you identify the source of the suspicious activity.

Conclusion

By following these steps, you will be able to detect potential attacks on your server and take appropriate action.

For additional assistance or if you encounter any issues, please contact our support team at support@ipserverone.com.

Article posted by Louis on 23/04/2020.