What to do if a server is hacked? Will Red Hat assist with development of security rules and policies and root cause?

Solution Verified - Updated -

Issue

  • There is reason to believe that my server was hacked

  • The host started presenting abnormal behaviors

  • Sudden jump in network bandwidth and/or traffic consumption

  • Unknown allocated space on disks

  • New users/groups created on the system with random names

  • An unknown root SSH login happened

    Jan 01 10:50:09 server sshd[444]: Accepted password for root from 61.32.27.191 port 4729 ssh2
Jan 01 10:50:09 server sshd[444]: pam_unix(sshd:session): session opened for user root by (uid=0)

  • Crond will not start

    starting crond : /bin/bash: crond:command not found

  • An untrusted IP address was able to login into my system

Environment

  • Red Hat Enterprise Linux (RHEL) all versions

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.