How to Detect If Your UNIX Server Has Been Compromised: 11 Practical Checks

1. Check the system password file

Start with the obvious: view /etc/passwd and note its modification date using ls -l /etc/passwd. Identify privileged accounts (UID 0) and look for any accounts with empty passwords.

2. Examine running processes for anomalies

Search for suspicious processes, e.g., ps -aef | grep inetd. A legitimate inetd PID appears early; an entry like inetd -s /tmp/.xxx indicates a possible backdoor. Kill suspicious processes with kill -9 <pid> and verify they do not respawn. Use find / -name <program_name> -print to locate the originating files.

3. Inspect daemon configuration files

Review /etc/inetd.conf (or the equivalent on Solaris) with cat /etc/inetd.conf | grep -v "^#" to see which remote services are enabled. Attackers may replace binaries such as in.telnetd to create a password‑less root shell.

4. Check network connections and listening ports

Run netstat -an to list all connections and listening ports and spot illegal ones.

Run netstat -rn to verify routing and gateway settings.

Run ifconfig -a to examine network‑interface configurations.

5. Review system logs

Use last | more to see login history. Verify that the syslog daemon is running and its start time is normal, because attackers often stop syslog to hide activity. Examine log directories ( /var/log on Linux, /var/adm on Solaris) and check the integrity and timestamps of wtmp, utmp, and related files.

6. Search for core dump files

Attackers may generate core files after exploiting services. Locate them with find / -name core -exec ls -l {} \; and investigate the directories for signs of compromise.

7. Look for .rhosts and .forward backdoor files

Globally search for these files:

find / -name ".rhosts" -print

find / -name ".forward" -print

If a .rhosts file contains only "+" entries, anyone can log in via the rlogin (port 513) service without authentication. Malicious .forward entries can execute arbitrary commands when mail is processed.

8. Verify system file integrity

Compare file hashes or package signatures. On Linux, use rpm -V $(rpm -qf <file>) or md5sum <file> (options -b, -c, -t) to detect tampering. Pay special attention to critical binaries such as /bin/login, daemon binaries referenced in inetd.conf, and /etc/crontab. Also search for setuid files ( find -perm 4000 -print) that could grant a root shell.

9. Inspect kernel modules for hidden backdoors

List loaded modules with lsmod (Linux) or modinfo (Solaris). Attackers may hide modules (e.g., knark) or remove them from /proc/modules. Examine the /proc directory for suspicious entries and use tools to detect hidden modules.

10. Limitations of manual intrusion detection

Manual methods are host‑centric, cannot see network‑level attacks, require up‑to‑date vulnerability knowledge, react only after an incident, and often miss coordinated exploits or zero‑day attacks.

11. Comparing intrusion detection systems (IDS)

Effective security combines a robust IDS with skilled administration. Some commercial tools (e.g., realsecure) have false‑positive/negative issues, may be targeted by attackers, and can become a single point of failure if the IDS itself is compromised.