Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Someone has managed to compromise my Linux (Fedora) server today. The evil person has added IFRAME's to many of my sites homepages - the iframe loads a remote page which contains a java applet which downloads and attempts to install at least 3 nasty viruses to the clients.
My question is:
How can I find out a list of files edited/create today? is there some command where I can get a list of these files? I know about ls and some basic params, but not sure about finding files by date. Is there a grep or something else for this??
I think you might be looking for something along the lines of find, as in
find / -mtime -1
This will find all the files from the root partition down that have been modified (-mtime) 1 day or less ago.
That's probably going to be a very large number of files, so you might want to filter the output through grep to search for certain extensions (like .html and so forth), or use more of the options that the find commmand has to offer.
A word of worning, though--the last time I saw this, the server had actually been compromised, rather than user files being replaced. Turns out that there was a loadable kernel module that caused Apache to write the IFRAME. The issue was resolved by backing up the data and reinstalling the OS. Probably not what you wanted to hear.
Unfortunately, if your server was truely hacked you won't be able to trust what you find. If someone successfully hacked your server, then they could have successfully changed the timestamps on the files they modified, successfully replaced your ls, find, and other standard commands with their trojan versions, etc. Even if you were able to list all fines modified in the last 24 hours you'd have no idea if that was really an accurate listing.
Things might be a little better if the attacker just found some hole in Apache and got in only with limited Apache permissions (userid www, nobody, etc.) and was not able to escalate to root. If they didn't gain root privilages you have a chance of detecting what they might have done. If they DID gain root, assume that they hid their tracks well and do not trust anything on your system. Chances are they hid their tracks so well that you might not even be able to detect that they gained root in the first place. Disconnect from the network and restore your system from known-clean backups.
Also, you should scan your system from another system. i.e., go to a different Linux box and run an "nmap" scan and possibly a "nessus" scan looking for entry points.
If you find something fishy - like your local hacked system says "I'm not listening on port 4078" but an nmap scan from another computer tells you that you are listening ... you've got big problems! Time for a bare-metal restore if you find someting like this.
Very valid points. It is important that you not confuse a site (or sites) getting hacked, and your server being compromised. The former can be cleaned up and usually involves lax permissions (write permissions for the Apache user, most frequently)or PHP cross-site scripting vulnerabilities or something similar and is relatively innocuous. The latter really requires that the system be reinstalled. Run a rootkit checker--preferably two, like rkhunter and chkroot. If you have any questions about the results, ask.