Member-only story
What I Do the Moment I Suspect My Ubuntu Server Has Been Compromised
--
Share
Intro No Linux system is bulletproof. And no matter how tight your firewall rules are, attackers constantly evolve. So when something feels “off” — a strange process, high CPU usage, a weird cron job — I don’t wait. I act immediately. This is my step-by-step process when I suspect a breach on my Ubuntu (or Red Hat) server.
1. Disconnect the Network (If Needed)
If the behavior seems actively malicious (like outbound connections or heavy CPU usage), I immediately isolate the system.
sudo ip link set eth0 down
Or, if you’re remote:
sudo ufw deny out from any to any
🛑 Why? To stop data exfiltration or command-and-control callbacks.
2. Snapshot Everything
Before I reboot, I collect evidence.
- Copy /var/log/syslog, /var/log/auth.log, /var/log/nginx/ or /var/log/httpd/
- Copy the crontab: crontab -l, /etc/cron*
- Capture running processes:
ps aux --forest > /tmp/ps_tree.txt
- List current connections:
ss -tunap > /tmp/open_connections.txt
Top comments (0)