Introduction
As in my previous Blog where i explained how i came to know if my system is hacked or compromized (link here). Here in this blog i will explain what basic things we can check on our system when we have doubt if our system is compromized .
This Blogs have 3 parts
- List of Checks which can determine if system is compromised or hacked – Part 1
- List of checks which can give a direction how system is compromised or hacked – Part 2
- What preventive steps (specially infra related) can be taken care to avoid hacking or to make system more secure – Part 3
Here , i am assuming system is Linux system with Centos installed .
List of Checks which can determine if system is compromised or hacked
- Generally when hacker break into a linux system it is high chance that it will alter you main packages like openssh,kernel etc.. , So first if of please check if these packages are altered or there are some changes in the files or binaries provided by these packages . Following are commands to check on Centos
sudo rpm -qa | grep openssh | xargs -I '{}' sudo rpm -V '{}'
- If therr are files shown by above command in which you did not change anything then it means there is high chance your system is compromised
- Run rootkit Hunter to check if you system is compromised
Download rkhunter.tar.gz
copy it in /root and goto /root
tar zxvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2/
sh installer.sh --layout default --install
changes in /etc/rkhunter.conf ENABLE_TESTS="all" DISABLE_TESTS="none" HASH_CMD=SHA1 HASH_FLD_IDX=4 PKGMGR=RPM 7
/usr/local/bin/rkhunter --propupd
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter -c -sk 10.
note output or check and copy /var/log/rkhunter.log
you can also check the link for using rkhunter
- Check /var/log/secure to check if there are many authentication failure requests and someone trying brute force to enter in to system
- following will be the comand :
[root@localhost ~]# less /var/log/secure | grep 'authentication failures'
- and output will be something like :
Apr 25 12:48:46 localhost sshd[2391]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.14 user=root
Apr 25 12:49:33 localhost sshd[2575]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.14 user=root
- In above output you can see the rhost from where login attempt are made . If you see lots of entries like this then also check if at some point of time some login attempt will be successful from any of attempting rhosts . In secure logs accepted logs will looks something like as follows :
Apr 25 12:53:10 localhost sshd[3551]: Accepted password for root from 192.168.29.14 port 36362 ssh2
- following will be the comand :
- Check in Processes if some unusual process is running and consuming high CPU using top and ps commands .
- Command to list all process running in system :
ps aux | less
- Also check using top command if some unusual process trying to utiize high cpu
- Command to list all process running in system :
- Check if there is some unusual entry in crontab of all users made on system
crontab -u <user> -l . by default user is root
- Check if in id_rsa.pub , if some attacker has somehow made its entry in .ssh folder in every users’s home directory .
This was the Part 1 of the Blog , In later Parts i will explain some further checklist to ensure that you system will remain less hackable .
Thankyou .
[…] last article we described List of Checks which can determine if system is compromised or hacked . In this article we will talk about preventive steps (specially infra related) can be taken […]
LikeLike
[…] the last article, we described a list of checks which can determine if a system is compromised or hacked. In this article, we will talk about preventive steps (especially infra-related) that can be […]
LikeLiked by 1 person
I was just looking for this information for a while. After 6 hours of continuous Googleing, finally I got it in your site. I wonder what is the lack of Google strategy that do not rank this kind of informative sites in top of the list. Usually the top websites are full of garbage.
LikeLiked by 1 person
Glad to hear that this article is useful to someone .
LikeLike
Hey there! This is my 1st comment here so I just wanted to give a quick shout out and say I genuinely enjoy reading through your blog posts. Can you suggest any other blogs/websites/forums that deal with the same subjects? Thank you!
LikeLiked by 1 person
I really like your blog.. very nice colors & theme.
Did you make this website yourself or did you hire someone to do it
for you? Plz reply as I’m looking to construct my own blog and would like
to find out where u got this from. kudos
LikeLiked by 1 person