What to do when you've been hacked

Initial handling

First of all, don't panic – it won't help anything. Personally I want to try and track down the pile of slime that did this. That means trying to preserve all data, logs and possibly sniffing network traffic. However you also need to weigh up the risk of further damage to (or from) your compromised system.

Change all your passwords and any other data that might have been grabbed from the compromised system – e.g. credit card details etc. You should also check any other systems that you use from that machine or that are on the same network (I always assume that the hacker has grabbed the shell history showing which systems I've ssh'd to).

I find "chkrootkit" or "rkhunter" very useful for tracking down what rootkits or backdoors (if any) have been installed. Then look for information about these rootkits (via google). Most rootkits will try and hide themselves from process listings. However some use configuration files to do so – if you move those files out of the way the processes become visible once more. Look for network connections (netstat or lsof on processes) and if possible tcpdump them. Check for recently modified files (although it's trivial to backdate changes so do not rely on only this method to find compromised files).

There are several live CD distros available designed to help you recover from an intrusion. You can also build your own if you are really keen or paranoid. Booting from a clean CD has the advantage that you know the kernel and system binaries are clean. However some rootkit are easier to detect when installed and running in the kernel. For example there is INSERT a DSL/Knoppix based live boot disk, see [[FrozenTech's LiveCD List]] for many more


If your box has been hacked there is only one thing you should do – rebuild from scratch. Build a brand new machine from scratch and copy over any data that you can. Executables, shell scripts etc should all be carefully checked (or restored from backups – you do have backups don't you? But don't restore from the night before's backup, because you might be restoring the attacker's files!)

If you use debian you can use dpkg --get-selections on the compromised system to create a list of installed packages. Feeding this to dpkg --set-selections on the new system, followed by aptitude dist-upgrade should then install these packages.


Prevention is better than a cure – particularly in this case. Some of these ideas are easier to implement than others:

Security/Hacked (last edited 2005-12-04 18:06:40 by 82)