Need to know hot if a hacker compromise my syst.

mazterpr

Joined
Jul 3, 2009
Messages
13
Likes
0
Points
0
#1
I've been having a problem. Someboy is changing the root password almost daily.

I went and boot (in append mode) and change the root password. I worked for a day or two.
But today I change the root pass and in a matter of maybe 30 steps to my desk ( I was in the server room) it was changed again. I already disable the ssh port so no one can try to brute force the syst...

My question is .. how can I check if someone "trojan" ( i dont know if that possible in linux ) my pbx or left some kind of a script that change the root immediately after I change it.

Need help big time!!

Thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
Perhaps you have been "rooted". rkhunter (root kit hunter) is one tool that can possibly prevent a further compromise, and maybe identify one already installed.

the password hash is in /etc/shadow, if it changes (read it before changing the password next time it denies you access) then probably yes.

(I don't think it is the standard repositories, but easy to find.)

If indeed I had been so attacked (and I have), I personally would consider my system compromised and reinstall the os from scratch. (root kits can be devilishly devious, I would no longer trust the system)
 

mazterpr

Joined
Jul 3, 2009
Messages
13
Likes
0
Points
0
#3
how do I install this rootkit hunter? I'm a newbie in terms of linux .. I'm running CentOS 5 ...

thanks for all your help...
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
One way is to download it first (first google hit was here so):
first go to a "safe" place (if one remains on your file system :) )

cd /usr/src

then download
Code:
wget http://dag.wieers.com/rpm/packages/rkhunter/rkhunter-1.2.9-1.el5.rf.noarch.rpm
then install it

rpm -Uhv rkhunter-1.2.9-1.el5.rf.noarch.rpm

then run it (after reading and digesting the documentation)

man rkhunter

rkhunter -c
 

mazterpr

Joined
Jul 3, 2009
Messages
13
Likes
0
Points
0
#5
Ok... i did what u told me to do!! and this is what i get.

> rkhunter -c
Fatal error: can't find INSTALLDIR option in configuration file (/etc/rkhunter.conf)

any ideas?
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#6

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,886
Members
17,564
Latest member
Mai Tuyen
Top