How to Detect and Recover from a Linux Server Intrusion: Step‑by‑Step Guide
This article walks through a real‑world Linux server breach, detailing the observed symptoms, investigative commands, hidden malicious scripts, file‑locking tricks, and a comprehensive remediation process that includes tightening security groups, strengthening passwords, monitoring critical files, and restoring compromised system utilities.
1. Server Intrusion Symptoms
A friend’s website server showed sustained 100% CPU usage, high load, and service outages. The ps and top commands were replaced, indicating possible compromise.
2. Investigation and Remediation
2.1 Possible Causes
Weak SSH password.
Overly permissive cloud security group.
Simple password on the Baota control panel.
2.2 Investigation Steps
Identify the process consuming most resources: ps -ef / top Check login records for foreign IPs: last or
grep 'Accepted' /var/log/secure[root@VM-12-12-centos ~]# grep 'Accepted' /var/log/secure
Aug 26 21:51:37 VM-12-12-centos sshd[19822]: Accepted password for root from 34.215.138.2 port 36720 ssh2
... (additional log lines) ...Lock the offending SSH IPs in the cloud security group.
Reset the root SSH password.
Backup and clear /root/.ssh/authorized_keys.
[root@VM-12-12-centos ~]# cp -rp /root/.ssh/authorized_keys /root/.ssh/authorized_keys.bak
cp: cannot create regular file ‘/root/.ssh/authorized_keys.bak’: Permission deniedLock newly created users, e.g., usermod -L sys1.
Inspect cron jobs; many were hidden or obfuscated. The attacker used crontab -e and files under /etc/cron.d/ to schedule malicious scripts.
Identify and remove malicious scripts such as the persistent /.Recycle_bin/_bt_etc_bt_.sftp_bt_.sh_t_1661768469.9859464 which repeatedly kills security tools and modifies /etc/ld.so.preload.
#!/bin/sh
while test 1 = 1; do
sleep 30
pkill -f main
... (many kill commands) ...
echo /usr/local/lib/libprocesshider.so > /etc/ld.so.preload
lockr +ai /etc/ld.so.preload >/dev/null 2>&1
...
doneClear /etc/ld.so.preload and delete the malicious shared library /usr/local/lib/libprocesshider.so.
Restore locked system utilities ( ps, top, chattr, lsattr) by copying them from an identical clean machine and unlocking with chattr -ia <file>.
Key Commands Used
ps -ef/
toplast/
grep 'Accepted' /var/log/securecrontab -lcat /etc/rc.localchattr -ai /usr/bin/chattr3. Lessons Learned
Restrict cloud security groups to the minimum necessary ports and IPs.
Use strong, complex passwords for SSH and any management panels.
Monitor critical files (e.g., /etc/passwd, /etc/shadow, /etc/ld.so.preload) for unexpected changes, preferably with hash‑based alerts.
Regularly audit cron jobs, startup scripts, and loaded shared libraries.
If system binaries are locked, copy clean versions from a trusted host and unlock them with chattr -ia.
Following these steps helped recover the compromised server and provided a checklist for future incident response.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.