System changes
newbie here, my question is this
i have a linux system, and i want to know if there is log somewhere that would show what files were modified, when and any other relevant data. so if say there's a hacker, and that they install a RAT, my question is can i find out from some log what changes were made, and where it came from |
Quote:
If you wanted to view which files are currently open and by what, you can use the lsof command. |
Quote:
What you describe is accomplished by an intrusion detection system. I think the standard open-source solution in this area is Snort. Much simpler solution (but for a hacker easy to fool): Commands that check the validity of files belonging to software packages. On an rpm-based system, for example, rpm -V lists the files that were modified in various ways since the package was installed. |
Related to your previous posts ?.
There are audit tools, but you would need to install them prior to your neighbour allegedly invading your router. Best done from somewhere else - a mates place perhaps. |
debsums will validate the insatalled packages
note, some files may have changed good reason,, or by yourself don't get too excited if debsums shows some files changed, instead explore those changes and figure out what the effect is/was regards https://www.linuxquestions.org/quest...7/#post6029560 Quote:
your distro changed stuff https://blog.parrotlinux.org/repository-changes/ try Code:
sudo apt-get update if that fails, then make /etc/apt/sources.list.d/parrot.list look like Code:
# this file was automatically generated by parrot-mirror-selector |
There's the BASH history. How far back it goes is configurable. Depending on the distro, out-of-the-box it's commonly configured for 500 or 1000 commands.
|
Quote:
And you'd need to configure it so that commands are saved to file immediately. Otherwise the current shell session's history stays in memory and disappears when you forcibly kill the shell. |
Quote:
|
Quote:
One thing I noticed when a system I was administering had a root kit was that the man <command> stopped working for affected commands. I figured out that I had a problem by looking at the dates (ls -ltr, as posted) on commands and noticing that they were much more recent than they should have been. Dates are not consistent in the /bin and /usr/bin directories, but looking at them occasionally will increase awareness of what's there and what's changed. I suppose one could do an ls and redirect to a log file on a daily basis, then diff the log files to see if anything changed...but it's still mostly about paying attention. |
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.
he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with. I did some googling and found Linux Audit, but at this point, I barely have control of my own system. |
Quote:
Code:
ssh root@remoteserver sed -i /root/d /etc/passwd The term interactive shell is defined here: https://www.gnu.org/software/bash/ma...ractive-Shells |
Quote:
|
Quote:
|
Quote:
How did "they" let you do any "googling" if you "barely have any control over the system" ? How did they even let you login to begin with ? I'm sorry, but based on what you've said; I'd have to agree with TB0ne in your other thread - I'm not sure it's technical help you need; I think it's psychological help that's really what you need a lot more of. Even if what you say is true, the very simple (and blindingly obvious) solutions would be; as soon as you get another router, change the default admin password for it to something this "moron" could not guess, then disable the wifi access point on the router. Then make sure it's firmware is fully up-to-date; you cannot tell me that would not stop this "moron" - particularly if they really are a "moron". |
Quote:
Again, you string together *JUST ENOUGH* technical words to make it sound like something, but you just don't make sense. And still, you are providing NO EVIDENCE of any 'hacker' getting in to your system, aside from wild assertions.
At what point are you going to provide actual evidence of anything? ANY log files/proof??? You are asking for technical assistance, so it is not unfair to ask what the actual symptoms are, besides speculation and paranoia. |
All times are GMT -5. The time now is 03:58 AM. |