Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by lynxlyon2
newbie here, my question is this
i have a linux system, and i want to know if there is log somewhere that would show what files were modified, when and any other relevant data.
so if say there's a hacker, and that they install a RAT, my question is
can i find out from some log what changes were made, and where it came from
Not that I personally know of. But there is the ls command that can tell you when files were last modified. If you have a look at it's man page that will show you some options you can use to get more information - like the -la option for one, but not limited to.
If you wanted to view which files are currently open and by what, you can use the lsof command.
i have a linux system, and i want to know if there is log somewhere that would show what files were modified, when and any other relevant data.
so if say there's a hacker, and that they install a RAT, my question is
can i find out from some log what changes were made, and where it came from
A log of all file changes would be huge, with millions of entries generated in a short time, since there are many, Many, MANY file operations going on at any second, 99.999% of them legitimate. In short, what you are asking is not realistic.
What you describe is accomplished by an intrusion detection system. I think the standard open-source solution in this area is Snort.
Much simpler solution (but for a hacker easy to fool): Commands that check the validity of files belonging to software packages. On an rpm-based system, for example, rpm -V lists the files that were modified in various ways since the package was installed.
Last edited by berndbausch; 08-26-2019 at 06:38 AM.
Reason: added snort url
There are audit tools, but you would need to install them prior to your neighbour allegedly invading your router. Best done from somewhere else - a mates place perhaps.
debsums will validate the insatalled packages
note, some files may have changed good reason,, or by yourself
don't get too excited if debsums shows some files changed, instead explore those changes and figure out what the effect is/was
so my router is infected by the moron next door, and wifi compromised
i would like to audit my system, but when i type
sudo apt-get install {}
it says my repository changed and i cant seem to find another copy
aka:
E: Repository 'http://deb.parrotsec.org/parrot stable InRelease' changed its 'Label' value from 'Parrot Stable Repository' to 'Parrot Rolling Repository'
E: Repository 'http://deb.parrotsec.org/parrot stable InRelease' changed its 'Suite' value from 'stable' to 'rolling'
E: Repository 'http://deb.parrotsec.org/parrot stable InRelease' changed its 'Codename' value from 'parrot' to 'rolling'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
so how can i get the package straight from the source, or without typing sudo apt-get install {}
and when prompted accept the changes, you should then be able to upgrade/install as you normal would
if that fails, then make /etc/apt/sources.list.d/parrot.list look like
Code:
# this file was automatically generated by parrot-mirror-selector
deb https://deb.parrot.sh/parrot/ rolling main contrib non-free
#deb-src https://deb.parrot.sh/parrot/ rolling main contrib non-free
deb https://deb.parrot.sh/parrot/ rolling-security main contrib non-free
#deb-src https://deb.parrot.sh/parrot/ rolling-security main contrib non-free
There's the BASH history. How far back it goes is configurable. Depending on the distro, out-of-the-box it's commonly configured for 500 or 1000 commands.
There's the BASH history. How far back it goes is configurable. Depending on the distro, out-of-the-box it's commonly configured for 500 or 1000 commands.
Caveat: It only works for interactive commands.
And you'd need to configure it so that commands are saved to file immediately. Otherwise the current shell session's history stays in memory and disappears when you forcibly kill the shell.
Just to help me learn something, what is a "non-interactive (for lack of a better term) command"?
Something executed by cron is one thing that comes to mind.
One thing I noticed when a system I was administering had a root kit was that the man <command> stopped working for affected commands.
I figured out that I had a problem by looking at the dates (ls -ltr, as posted) on commands and noticing that they were much more recent than they should have been. Dates are not consistent in the /bin and /usr/bin directories, but looking at them occasionally will increase awareness of what's there and what's changed.
I suppose one could do an ls and redirect to a log file on a daily basis, then diff the log files to see if anything changed...but it's still mostly about paying attention.
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.
he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with.
I did some googling and found Linux Audit, but at this point, I barely have control of my own system.
None of the various measures mentioned here is very useful when the damage is done. You need to set up auditing, intrusion detection, or protective solutions like SELinux or AppArmor before the break-in.
None of the various measures mentioned here is very useful when the damage is done. You need to set up auditing, intrusion detection, or protective solutions like SELinux or AppArmor before the break-in.
To which I'd add, before you connect the 'puter to the network. "They" can't hack your system remotely if it's not on the network.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by lynxlyon2
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.
he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with.
I did some googling and found Linux Audit, but at this point, I barely have control of my own system.
Well then, physically UNPLUG your machine from your router, or even better, UNPLUG the power cord to the router altogether. Then do what you need to do to secure your system, and/or look at any of these "suspect" files that they "must have changed".
How did "they" let you do any "googling" if you "barely have any control over the system" ? How did they even let you login to begin with ?
I'm sorry, but based on what you've said; I'd have to agree with TB0ne in your other thread - I'm not sure it's technical help you need; I think it's psychological help that's really what you need a lot more of. Even if what you say is true, the very simple (and blindingly obvious) solutions would be; as soon as you get another router, change the default admin password for it to something this "moron" could not guess, then disable the wifi access point on the router. Then make sure it's firmware is fully up-to-date; you cannot tell me that would not stop this "moron" - particularly if they really are a "moron".
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.
he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with. I did some googling and found Linux Audit, but at this point, I barely have control of my own system.
Much like your other threads under your other three accounts??
Again, you string together *JUST ENOUGH* technical words to make it sound like something, but you just don't make sense. And still, you are providing NO EVIDENCE of any 'hacker' getting in to your system, aside from wild assertions.
How do you know your passwords are 'retrieved'??
You claim to 'barely have control' of your own system...how about telling us what it's doing? (kind of odd that this 'moron hacker' who can get into your wifi in less than 10 seconds will let you DO Google searches for how to get rid of them, don't you think?)
(from your other thread) "He can get in in under 10 seconds by now. I think he infected my router and re-routed us." ("Re-routed"?? What does that mean??)
And now you're using ParrotOS (from your other thread), because you asserted that Kali was 'bugged', and the mafia was somehow involved.
At what point are you going to provide actual evidence of anything? ANY log files/proof??? You are asking for technical assistance, so it is not unfair to ask what the actual symptoms are, besides speculation and paranoia.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.