what I security applications should I run after getting hacked?
DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
what I security applications should I run after getting hacked?
Hey guys. As one of our last labs, our professor is going to run some evil scripts on our servers and we are supposed to find out what he did, as much as we can.
I will be running a chrootkit but I wanted some suggestions for other applications to run and what else to check for.
Well, at a minimum, I would be checking the permissions on all the system folders, to ensure that they are owned by root where required, and inaccessible to anyone else! That way, unless he cracks your root password, which you should make sure is REALLY strong, he is effectively sandboxed in userland. Other than that, you should turn up your log levels, and monitor them closely for unusual activity.
thanks irish, thats kinda what i was thinking about the logs.
he probably wont crack my root password, and he knows it -- he gave it, but he will probably replace or remove it and I will have to figure out how to fix it. Single user mode, I know...
ummm, other than that... I was thinking he might be changing some of the commands so they lie to me such as the ls and ps command, so I backed them up. Otherwise is there a better way to find out and fix modified commands?
Well, if you make them owned by root, he won't be able to change them without cracking the root password! Of course, your big challenge is hunting down his scripts, and figuring out what they do....
As one of our last labs, our professor is going to run some evil scripts on our servers and we are supposed to find out what he did, as much as we can.
You'll want to create a HIDS db of the pre-cracked system. Then you'll need a safe command environment to operate from afterwards (to check the db against the system): i.e. a live cd.
Good luck. If you don't know what I said, use teh google. (This is homework..)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.