I think my Linode is compromised. How can I tell?
If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:

– /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘last’ command to cross reference recent account logins with this file.
– /tmp : This directory is often used by malicious parties to store files
– Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
– ps aux : Use this command to audit running processes for foreign processes

Leave a Reply