# [solved]need help on judge if my server has been compromised

## Elleni

My brother told me, he opened a word document within libreoffice-online on my nextcloud server which he received by mail. The same server is acting as mailserver setup with postfix/dovecot/rspamd/fail2ban/clamav/logcheck... He then realized that the sending adress was not ok, so he fortunately did not push the activate buttons on the top bar within libreoffice-online, and deleted the file. Now I am not sure wether my server was compromised. I checked with rkhunter and chkrootkit nothing found, and I also ran clamscan (with unofficial signatures) on the location where nextcloud files are saved, without finding anything. What bothers me is that I became aware of 1 of the 4 cpus being @100% with /usr/bin/loolforkit, and I dont know, if that is related or not. Crawling the net for "loolkit/loolforkit high cpu" I did not find anything reported that could be helpful to understand what's going on. 

```
/usr/bin/loolforkit--losubpath=lo --systemplate=/var/lib/libreoffice-online/systemplate --lotemplate=/usr/lib64/libreoffice --childroot=/var/lib/libreoffice-online/jails/ --clientport?9980 --masterport=9981 --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0

```

Is there a way to check, what this thing is doing? What would be your suggestions / thoughts, do you think it's save to wait and see if it stops eventually eating / occupying 1 of the 4 cpus (its running for 3h now according to htop)? Or should I consider the server compromised thus restore to a state before above mentioned wordfile was opened? I would rather think, that those makro stuff would only be a problem on Microsoft Office and only if activating malicious Makros, but I don't know...  :Embarassed: 

What do you think, is that related to the document opened, or just some other misbehavior of my libreoffice-online not leading to the conclusion that the server is compromised? What would you do if it were your server?

strace -p 24901

lsof -p 23808

The last line caught my attention, as I indeed opened this pdf file in my nextcloud. So maybe this cpu eating thing is attached to this?Last edited by Elleni on Tue Dec 24, 2019 11:52 pm; edited 1 time in total

----------

## Elleni

Did my checks inspired by this blogpost as I did not get any reply here yet: 

https://bash-prompt.net/guides/server-hacked/

I guess everything should be ok, but I would nevertheless appreciate any comment/thought on this one, or maybe a hint on what else to do in order to improve my knowhow.

----------

## gengreen

with less 100 lines of code, you can hide a process from most of the admin tools

A rootkit / backdoor build with enough effort can persist almost forever and you won't see a thing. The only way to fix this, is a full rebuild of your system. 

If you think you could have been compromised, then you are, this is how you should handle the problem.

 It's not by using 3 sysadmin tools and trying to make an hazardous analysis of you server that will confirm if yes or no you are compromised...

----------

## Elleni

I see what you mean. Thanks for your comment. I will have to think about rebuilding everything, as its quite some work. On the other side, I still hesitate as I don't believe that opening a document with libreoffice-online is enough to have the server compromised. Nevertheless, I might find the time to redo all work in order to have no doubt anymore. 

At least I learned from this experience, how to examine a process to find out, what its doing while occupying one cpu @100%. 

But you are certainly right, and I won't be able to trust my server before a full rebuild.

----------

## 389292

maybe a miner? you can sniff the traffic and see maybe it goes somewhere, still good learning experience, as long as it's not a corporate server  :Smile: 

----------

## Elleni

absolutely - thanks for the suggestion  :Smile: 

----------

