Member-only story
How I Rebuild a Linux Server After a Suspected Compromise (Step by Step)
--
Share
✍️ Full Blog Content:
Intro:
No one wants to think their server got hacked. But if something feels off — weird traffic, changed files, new users — it’s better to rebuild than guess. I’ve had to do it. And when I do, I follow this exact playbook to safely rebuild from scratch, investigate the cause, and harden the new system like it’s going into battle.
1. Take the Server Off the Network Immediately
Before doing anything else:
sudo ip link set eth0 down
✅ Why:
- Stops data exfiltration
- Prevents further spread
- Buys you time to investigate safely
2. Copy Logs and Artifacts to a Separate Box
✅ Preserve for later review:
scp /var/log/* you@forensics-box:/logs/hostname/
✅ Grab:
- /etc/passwd, /etc/shadow
- Bash history files
- Cron jobs
- List of running processes:
ps aux > ps_dump.txt
Top comments (0)