Important commands to rescue hacked servers.

by | May 15, 2017 | Linux, Security, Web development | 0 comments

This post will you a boost in tracing the trails of your server intruder. You can use this post as a reference for your periodic server health checks as well. This is a very important article for server security specialists, white hats and developer in general.

Running processes


Use Shift-M to sort processes by Memory column (Very Important to detect DDoS Attacks)

Use Shift-P to sort processes by CPU column (Very Important to detect DDoS Attacks)

Use C to view full paths of running processes (Very Important to detect malicious shells upload location)

Please note top command will only show currently running processes.


report a snapshot of the current processes.

ps aux

Report all processes from all users

ps ax -O psr, estime

Report all processes and add 2 columns (Core serving this process and Elapsed time)

For more columns check “man ps”

Files modified within x days / x minutes

find . -mmin -60 -type f

Detects files (-type f) modified within last hour (60 minutes -mmin -60). You can replace [.] with the desired folder.

find . -mtime -1 -type f

Same as above but uses days count instead (1 day).


This command is very important to detect uploaded shells.

Cumulative CPU usage


uptime gives a one line display of the following information. The current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.

What do these “load average” numbers mean?

For a single core processor :

0.8 : the processor was idle for 20% of the time.

1.2 : the processor was busy to serve a process while another process[es] waited for 20% of the time to get served, or, in other words, the processor was overloaded by 20%.

2.5 : the processor was overloaded by 150%. The processor was serving a process while other processes waited for 150% of the time (Must be more than a single process)

For example:

 06:12:49 up 1:39, 3 users, load average: 1.08, 1.44, 1.31

Current time, up for x:xx, number of users, 1 minute load average, 5 minutes load average, 15 minutes load average.

Who has recently logged in + uptime

w (Yes, that’s the command)

You can use this command to view who is logged into the system using TTY, SSH, etc.

You can specify the username, for example:

w root

Searching for something?

Grep mails

grep -E -o “\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b” filename.txt

Logs Paths

ApacheAccessLog [General paths]/usr/local/apache/logs/access_log
ApacheErrorLog [General paths]/usr/local/apache/logs/error_log
Apache/cPanel sitesErrorLog [cPanel per website error log]/home/[server]/logs/
Apache/cPanel sitesAccessLog [cPanel per website access log]/usr/local/apache/domlogs/[server]
Apache/cPanel itselfErrorLog [cPanel itself, logging all cPanel errors]/usr/local/cpanel/logs/error_log
Apache/cPanel itselfAccessLog [cPanel itself, logging all cPanel accesses]/usr/local/cpanel/logs/access_log
nginxAccess log/var/log/nginx/access.log
nginxError Log/etc/nginx/logs/error_log
find it in nginx.conf file
find it in /etc/rsyslog.conf
find it in /etc/rsyslog.d/50-default.conf
/var/log/vsftpd.log [for vsftpd]
find it in /etc/vsftpd.conf
find it in /etc/vsftpd/vsftpd.conf

Configuration Paths

Apache (cPanel)httpd configuration file/usr/local/apache/conf/httpd.confShould be auto-generated by WHM.


Are you under attack? We can help



Submit a Comment

Your email address will not be published. Required fields are marked *