Troubleshooting a hacked server

It is an unfortunate fact of life that web servers get hacked, through many different vectors including outdated scripts, compromised CMS platforms, weak passwords and many, many others. In such situation, you may receive an abuse notification via email requesting that action be taken to stop outbound abusive behaviour from being carried out on your server.

First, let's grab a list of all processes running on the server, along with all of their gory details:

/bin/ps axfwwwe -eo ppid,pid,uid,cmd --sort=ppid

Usually this gives enough clues to find out the cheeky culprit, allowing you to begin killing processes (kill -9 XXX, etc) and deleting or moving the hacked files. If you're struggling and know that there is abusive behaviour occurring at this very moment, grabbing a list of all open files will give some extra insight:

/usr/sbin/lsof -Pwn

And finally, for that extra confirmation, we can use netstat to verify all currently active network connections which will give you the concrete evidence to find which processes are behaving badly:

/bin/netstat -anpe

Hopefully this  helps you on your sysadmin cleanup journey!


  • linux, hacked, process list, processes, outbound, spam, hacking, ftp, ssh, smtp, forum spam, brute force
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to resize LVM partitions

Sometimes when users install their operating systems from ISOs manually, they choose to install...

Archiving old content (tar gzip)

In this article we'll explain how and why you should archive your old content - particularly...

Choosing the best DNS resolvers for a server

Customers often ask us what we'd recommend they use as DNS resolvers on their server. This...

Speed up & secure cloud servers with more Entropy

In Linux, Entropy refers to randomness that is generated by a virtual random number generator,...