Need to know hot if a hacker compromise my syst.

Discussion in 'General' started by mazterpr, Jul 10, 2009.

  1. mazterpr

    Joined:
    Jul 3, 2009
    Messages:
    13
    Likes Received:
    0
    I've been having a problem. Someboy is changing the root password almost daily.

    I went and boot (in append mode) and change the root password. I worked for a day or two.
    But today I change the root pass and in a matter of maybe 30 steps to my desk ( I was in the server room) it was changed again. I already disable the ssh port so no one can try to brute force the syst...

    My question is .. how can I check if someone "trojan" ( i dont know if that possible in linux ) my pbx or left some kind of a script that change the root immediately after I change it.

    Need help big time!!

    Thanks
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Perhaps you have been "rooted". rkhunter (root kit hunter) is one tool that can possibly prevent a further compromise, and maybe identify one already installed.

    the password hash is in /etc/shadow, if it changes (read it before changing the password next time it denies you access) then probably yes.

    (I don't think it is the standard repositories, but easy to find.)

    If indeed I had been so attacked (and I have), I personally would consider my system compromised and reinstall the os from scratch. (root kits can be devilishly devious, I would no longer trust the system)
     
  3. mazterpr

    Joined:
    Jul 3, 2009
    Messages:
    13
    Likes Received:
    0
    how do I install this rootkit hunter? I'm a newbie in terms of linux .. I'm running CentOS 5 ...

    thanks for all your help...
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    One way is to download it first (first google hit was here so):
    first go to a "safe" place (if one remains on your file system :) )

    cd /usr/src

    then download
    Code:
    wget http://dag.wieers.com/rpm/packages/rkhunter/rkhunter-1.2.9-1.el5.rf.noarch.rpm
    
    then install it

    rpm -Uhv rkhunter-1.2.9-1.el5.rf.noarch.rpm

    then run it (after reading and digesting the documentation)

    man rkhunter

    rkhunter -c
     
  5. mazterpr

    Joined:
    Jul 3, 2009
    Messages:
    13
    Likes Received:
    0
    Ok... i did what u told me to do!! and this is what i get.

    > rkhunter -c
    Fatal error: can't find INSTALLDIR option in configuration file (/etc/rkhunter.conf)

    any ideas?
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0

Share This Page