If you don’t have any sort of security setup and you have not done any due diligence in basic linux security, the odds are you might be already hacked or will be in the near future. But how can you tell? The first thing you might notice is decrease in performance such as your own web pages are loading but not as rapidly as they did before. Your web control panel is less responsive then what it used to be. Your bandwidth usage has gone up significantly from the previous month. Your email usage has gone up where you are receiving strange email bounces. Your services such as Apache or MySQL seem to crash whereas they never did before. Of course easiest way to tell is if you get an email from your data center telling you that your machine is currently processing malicious attacks and is causing issues on their network.
If you notice anything such as the above you may want to do the following first:
1. Check your log history /var/logs
2. Compare your backup images
3. Check for unusual file dates, sizes and permissions (especially 777)
4. Check for unusual cronjobs that you haven’t setup.
5. Check for files that you knew should be there but are not anymore (delete logs is a good sign)
6. Do a simple search of your IP (or domain name) via Google: site:yourwebsite.com and see what comes up
7. Do a packet capture or simply watch the current processes that are running by utilizing “top” command via SSH
8. Check your databases, see if anything is there that it shouldn’t be.
I would highly suggest to do a quick backup (remote if possible), odds are if your server has been hacked its a matter of hours or even minutes before a data center shuts your server down. Therefore, before you start poking around, do a backup as soon as possible.
If you are unable to find the root of the cause, give us a shout and we will do a full search process to see if there is something malicious installed on your server.