Introduction

As in my previous Blog where i explained how i came to know if my system is hacked or compromized (link here). Here in this blog i will explain what basic things we can check on our system when we have doubt if our system is compromized .

This Blogs have 3 parts

• List of Checks which can determine if system is compromised or hacked – Part 1
• List of checks which can give a direction how system is compromised or hacked – Part 2
• What preventive steps (specially infra related) can be taken care to avoid hacking or to make system more secure – Part 3

Here , i am assuming system is Linux system with Centos installed .

List of Checks which can determine if system is compromised or hacked

• Generally when hacker break into a linux system it is high chance that it will alter you main packages like openssh,kernel etc.. , So first if of please check if these packages are altered or there are some changes in the files or binaries provided by these packages . Following are commands to check on Centos
  • sudo rpm -qa | grep openssh | xargs -I '{}' sudo rpm -V '{}'
  • If therr are files shown by above command in which you did not change anything then it means there is high chance your system is compromised
• Run rootkit Hunter to check if you system is compromised
  • Download rkhunter.tar.gz
  • copy it in /root and goto /root
  • tar zxvf rkhunter-1.4.2.tar.gz
  • cd rkhunter-1.4.2/
  • sh installer.sh --layout default --install
  • changes in /etc/rkhunter.conf ENABLE_TESTS="all" DISABLE_TESTS="none" HASH_CMD=SHA1 HASH_FLD_IDX=4 PKGMGR=RPM 7
  • /usr/local/bin/rkhunter --propupd
  • /usr/local/bin/rkhunter --update
  • /usr/local/bin/rkhunter -c -sk 10.
  • note output or check and copy /var/log/rkhunter.log
  • you can also check the link for using rkhunter
• Check /var/log/secure to check if there are many authentication failure requests and someone trying brute force to enter in to system
  • following will be the comand :
    • [root@localhost ~]# less /var/log/secure | grep 'authentication failures'
  • and output will be something like :
    • Apr 25 12:48:46 localhost sshd[2391]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.14 user=root
    • Apr 25 12:49:33 localhost sshd[2575]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.14 user=root
  • In above output you can see the rhost from where login attempt are made . If you see lots of entries like this then also check if at some point of time some login attempt will be successful from any of attempting rhosts . In secure logs accepted logs will looks something like as follows :
    • Apr 25 12:53:10 localhost sshd[3551]: Accepted password for root from 192.168.29.14 port 36362 ssh2

• Check in Processes if some unusual process is running and consuming high CPU using top and ps commands .
  • Command to list all process running in system : ps aux | less
  • Also check using top command if some unusual process trying to utiize high cpu
• Check if there is some unusual entry in crontab of all users made on system
  • crontab -u <user> -l . by default user is root
• Check if in id_rsa.pub , if some attacker has somehow made its entry in .ssh folder in every users’s home directory .

This was the Part 1 of the Blog , In later Parts i will explain some further checklist to ensure that you system will remain less hackable .

Thankyou .