System changes
 

newbie here, my question is this

i have a linux system, and i want to know if there is log somewhere that would show what files were modified, when and any other relevant data.

so if say there's a hacker, and that they install a RAT, my question is

can i find out from some log what changes were made, and where it came from

Not that I personally know of. But there is the ls command that can tell you when files were last modified. If you have a look at it's man page that will show you some options you can use to get more information - like the -la option for one, but not limited to.

If you wanted to view which files are currently open and by what, you can use the lsof command.

A log of all file changes would be huge, with millions of entries generated in a short time, since there are many, Many, MANY file operations going on at any second, 99.999% of them legitimate. In short, what you are asking is not realistic.

What you describe is accomplished by an intrusion detection system. I think the standard open-source solution in this area is Snort.

Much simpler solution (but for a hacker easy to fool): Commands that check the validity of files belonging to software packages. On an rpm-based system, for example, rpm -V lists the files that were modified in various ways since the package was installed.

Related to your previous posts ?.

There are audit tools, but you would need to install them prior to your neighbour allegedly invading your router. Best done from somewhere else - a mates place perhaps.

debsums will validate the insatalled packages
note, some files may have changed good reason,, or by yourself
don't get too excited if debsums shows some files changed, instead explore those changes and figure out what the effect is/was

regards
https://www.linuxquestions.org/quest...7/#post6029560
nothing bad going on here
your distro changed stuff
https://blog.parrotlinux.org/repository-changes/

try
and when prompted accept the changes, you should then be able to upgrade/install as you normal would

if that fails, then make /etc/apt/sources.list.d/parrot.list look like
( from the blog post )

There's the BASH history. How far back it goes is configurable. Depending on the distro, out-of-the-box it's commonly configured for 500 or 1000 commands.

Caveat: It only works for interactive commands.

And you'd need to configure it so that commands are saved to file immediately. Otherwise the current shell session's history stays in memory and disappears when you forcibly kill the shell.

Just to help me learn something, what is a "non-interactive (for lack of a better term) command"?

Something executed by cron is one thing that comes to mind.

One thing I noticed when a system I was administering had a root kit was that the man <command> stopped working for affected commands.
I figured out that I had a problem by looking at the dates (ls -ltr, as posted) on commands and noticing that they were much more recent than they should have been. Dates are not consistent in the /bin and /usr/bin directories, but looking at them occasionally will increase awareness of what's there and what's changed.

I suppose one could do an ls and redirect to a log file on a daily basis, then diff the log files to see if anything changed...but it's still mostly about paying attention.

basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.

he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with.

I did some googling and found Linux Audit, but at this point, I barely have control of my own system.

Any command you submit without an interactive shell. For example, try this :)
Or a command issued by a service running in the background.

The term interactive shell is defined here: https://www.gnu.org/software/bash/ma...ractive-Shells

None of the various measures mentioned here is very useful when the damage is done. You need to set up auditing, intrusion detection, or protective solutions like SELinux or AppArmor before the break-in.

To which I'd add, before you connect the 'puter to the network. "They" can't hack your system remotely if it's not on the network.

Well then, physically UNPLUG your machine from your router, or even better, UNPLUG the power cord to the router altogether. Then do what you need to do to secure your system, and/or look at any of these "suspect" files that they "must have changed".

How did "they" let you do any "googling" if you "barely have any control over the system" ? How did they even let you login to begin with ?

I'm sorry, but based on what you've said; I'd have to agree with TB0ne in your other thread - I'm not sure it's technical help you need; I think it's psychological help that's really what you need a lot more of. Even if what you say is true, the very simple (and blindingly obvious) solutions would be; as soon as you get another router, change the default admin password for it to something this "moron" could not guess, then disable the wifi access point on the router. Then make sure it's firmware is fully up-to-date; you cannot tell me that would not stop this "moron" - particularly if they really are a "moron".

Much like your other threads under your other three accounts??

Again, you string together *JUST ENOUGH* technical words to make it sound like something, but you just don't make sense. And still, you are providing NO EVIDENCE of any 'hacker' getting in to your system, aside from wild assertions.

• How do you know your passwords are 'retrieved'??
• You claim to 'barely have control' of your own system...how about telling us what it's doing? (kind of odd that this 'moron hacker' who can get into your wifi in less than 10 seconds will let you DO Google searches for how to get rid of them, don't you think?)
• (from your other thread) "He can get in in under 10 seconds by now. I think he infected my router and re-routed us." ("Re-routed"?? What does that mean??)

And now you're using ParrotOS (from your other thread), because you asserted that Kali was 'bugged', and the mafia was somehow involved.

At what point are you going to provide actual evidence of anything? ANY log files/proof??? You are asking for technical assistance, so it is not unfair to ask what the actual symptoms are, besides speculation and paranoia.