Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i think my linux box is hacked. i am having a RedhatLinux 7.3 installed. The problem is that someone has made some changes in startup/shutdown scripts so that whenever i shutdown linux, the system goes in to maintenance mode i.e runlevel 1. so accessing runlevel anybody could easily do anything with the system.
I tried to read the log files but didn't found anything. for instance to save my system i have also modified the script /etc/rc.d/rc so that whenever system goes into maintenance mode it asks for the root passwd.
I want to know how could someone having guest access do such a task of modifying the scripts. How can solve this problem and deny such activities in future.
First, try verifying the integrity of the init scripts using rpm -V <package> or just rpm -Va to verify them all. With the system going to run-level 1, only someone with local access would be able to use the machine, so you might want to think about who else has physical access to the machine. You should also take a look at the access logs (last and last -i) for abnormal access times, look at /etc/passwd for any abnormal users or users other than root with a UID of 0. You should also download and run chkrootkit or rootkit hunter to identify whether a rootkit has been installed (they have a tendency to bork the startup/shutdown files if they don't install properly).
In terms of how could this happen, Redhat 7.3 has not been supported for some time and unless youve been manually patching to keep up with recent security vulnerabilities, then there would be a number of local root exploits in the system that would allow a "privilege escalation" attack.
Hi.
i think you are using shutdown command. to remind you shutdown command with no options and arguemtns will place you in single user mode. if you want to poweroff the system use 'shutdonw -h now' or if you want to use restart 'shutdown -r now'. for more information read 'man shutdown'
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
