LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-26-2019, 05:56 AM   #1
lynxlyon2
LQ Newbie
 
Registered: Aug 2019
Posts: 6

Rep: Reputation: 0
System changes


newbie here, my question is this

i have a linux system, and i want to know if there is log somewhere that would show what files were modified, when and any other relevant data.

so if say there's a hacker, and that they install a RAT, my question is

can i find out from some log what changes were made, and where it came from
 
Old 08-26-2019, 06:01 AM   #2
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: Currently OpenMandriva. Previously openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,420

Rep: Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769
Quote:
Originally Posted by lynxlyon2 View Post
newbie here, my question is this

i have a linux system, and i want to know if there is log somewhere that would show what files were modified, when and any other relevant data.

so if say there's a hacker, and that they install a RAT, my question is

can i find out from some log what changes were made, and where it came from
Not that I personally know of. But there is the ls command that can tell you when files were last modified. If you have a look at it's man page that will show you some options you can use to get more information - like the -la option for one, but not limited to.

If you wanted to view which files are currently open and by what, you can use the lsof command.
 
Old 08-26-2019, 07:37 AM   #3
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 3,964

Rep: Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110
Quote:
Originally Posted by lynxlyon2 View Post
newbie here, my question is this

i have a linux system, and i want to know if there is log somewhere that would show what files were modified, when and any other relevant data.

so if say there's a hacker, and that they install a RAT, my question is

can i find out from some log what changes were made, and where it came from
A log of all file changes would be huge, with millions of entries generated in a short time, since there are many, Many, MANY file operations going on at any second, 99.999% of them legitimate. In short, what you are asking is not realistic.

What you describe is accomplished by an intrusion detection system. I think the standard open-source solution in this area is Snort.

Much simpler solution (but for a hacker easy to fool): Commands that check the validity of files belonging to software packages. On an rpm-based system, for example, rpm -V lists the files that were modified in various ways since the package was installed.

Last edited by berndbausch; 08-26-2019 at 07:38 AM. Reason: added snort url
 
Old 08-26-2019, 08:01 AM   #4
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,396

Rep: Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048Reputation: 3048
Related to your previous posts ?.

There are audit tools, but you would need to install them prior to your neighbour allegedly invading your router. Best done from somewhere else - a mates place perhaps.
 
Old 08-26-2019, 08:33 AM   #5
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,683

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
debsums will validate the insatalled packages
note, some files may have changed good reason,, or by yourself
don't get too excited if debsums shows some files changed, instead explore those changes and figure out what the effect is/was

regards
https://www.linuxquestions.org/quest...7/#post6029560
Quote:
so my router is infected by the moron next door, and wifi compromised

i would like to audit my system, but when i type

sudo apt-get install {}

it says my repository changed and i cant seem to find another copy

aka:
E: Repository 'http://deb.parrotsec.org/parrot stable InRelease' changed its 'Label' value from 'Parrot Stable Repository' to 'Parrot Rolling Repository'
E: Repository 'http://deb.parrotsec.org/parrot stable InRelease' changed its 'Suite' value from 'stable' to 'rolling'
E: Repository 'http://deb.parrotsec.org/parrot stable InRelease' changed its 'Codename' value from 'parrot' to 'rolling'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.

so how can i get the package straight from the source, or without typing sudo apt-get install {}

where does it get it from is my question
nothing bad going on here
your distro changed stuff
https://blog.parrotlinux.org/repository-changes/

try
Code:
sudo apt-get update
and when prompted accept the changes, you should then be able to upgrade/install as you normal would

if that fails, then make /etc/apt/sources.list.d/parrot.list look like
Code:
# this file was automatically generated by parrot-mirror-selector
deb https://deb.parrot.sh/parrot/ rolling main contrib non-free
#deb-src https://deb.parrot.sh/parrot/ rolling main contrib non-free
deb https://deb.parrot.sh/parrot/ rolling-security main contrib non-free
#deb-src https://deb.parrot.sh/parrot/ rolling-security main contrib non-free
( from the blog post )
 
Old 08-26-2019, 07:38 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,790
Blog Entries: 27

Rep: Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635
There's the BASH history. How far back it goes is configurable. Depending on the distro, out-of-the-box it's commonly configured for 500 or 1000 commands.
 
Old 08-26-2019, 08:42 PM   #7
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 3,964

Rep: Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110
Quote:
Originally Posted by frankbell View Post
There's the BASH history. How far back it goes is configurable. Depending on the distro, out-of-the-box it's commonly configured for 500 or 1000 commands.
Caveat: It only works for interactive commands.

And you'd need to configure it so that commands are saved to file immediately. Otherwise the current shell session's history stays in memory and disappears when you forcibly kill the shell.
 
Old 08-26-2019, 09:34 PM   #8
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,790
Blog Entries: 27

Rep: Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635Reputation: 4635
Quote:
It only works for interactive commands
Just to help me learn something, what is a "non-interactive (for lack of a better term) command"?
 
Old 08-26-2019, 10:09 PM   #9
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,267

Rep: Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495
Quote:
Originally Posted by frankbell View Post
Just to help me learn something, what is a "non-interactive (for lack of a better term) command"?
Something executed by cron is one thing that comes to mind.

One thing I noticed when a system I was administering had a root kit was that the man <command> stopped working for affected commands.
I figured out that I had a problem by looking at the dates (ls -ltr, as posted) on commands and noticing that they were much more recent than they should have been. Dates are not consistent in the /bin and /usr/bin directories, but looking at them occasionally will increase awareness of what's there and what's changed.

I suppose one could do an ls and redirect to a log file on a daily basis, then diff the log files to see if anything changed...but it's still mostly about paying attention.
 
Old 08-26-2019, 10:49 PM   #10
lynxlyon2
LQ Newbie
 
Registered: Aug 2019
Posts: 6

Original Poster
Rep: Reputation: 0
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.

he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with.

I did some googling and found Linux Audit, but at this point, I barely have control of my own system.
 
Old 08-26-2019, 11:19 PM   #11
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 3,964

Rep: Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110
Quote:
Originally Posted by frankbell View Post
Just to help me learn something, what is a "non-interactive (for lack of a better term) command"?
Any command you submit without an interactive shell. For example, try this
Code:
ssh root@remoteserver sed -i /root/d /etc/passwd
Or a command issued by a service running in the background.

The term interactive shell is defined here: https://www.gnu.org/software/bash/ma...ractive-Shells

Last edited by berndbausch; 08-26-2019 at 11:21 PM.
 
Old 08-26-2019, 11:25 PM   #12
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 3,964

Rep: Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110Reputation: 1110
Quote:
Originally Posted by lynxlyon2 View Post
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.

he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with.

I did some googling and found Linux Audit, but at this point, I barely have control of my own system.
None of the various measures mentioned here is very useful when the damage is done. You need to set up auditing, intrusion detection, or protective solutions like SELinux or AppArmor before the break-in.
 
Old 08-27-2019, 12:20 AM   #13
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,267

Rep: Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495
Quote:
Originally Posted by berndbausch View Post
None of the various measures mentioned here is very useful when the damage is done. You need to set up auditing, intrusion detection, or protective solutions like SELinux or AppArmor before the break-in.
To which I'd add, before you connect the 'puter to the network. "They" can't hack your system remotely if it's not on the network.
 
1 members found this post helpful.
Old 08-27-2019, 08:55 AM   #14
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: Currently OpenMandriva. Previously openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,420

Rep: Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769
Quote:
Originally Posted by lynxlyon2 View Post
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.

he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with.

I did some googling and found Linux Audit, but at this point, I barely have control of my own system.
Well then, physically UNPLUG your machine from your router, or even better, UNPLUG the power cord to the router altogether. Then do what you need to do to secure your system, and/or look at any of these "suspect" files that they "must have changed".

How did "they" let you do any "googling" if you "barely have any control over the system" ? How did they even let you login to begin with ?

I'm sorry, but based on what you've said; I'd have to agree with TB0ne in your other thread - I'm not sure it's technical help you need; I think it's psychological help that's really what you need a lot more of. Even if what you say is true, the very simple (and blindingly obvious) solutions would be; as soon as you get another router, change the default admin password for it to something this "moron" could not guess, then disable the wifi access point on the router. Then make sure it's firmware is fully up-to-date; you cannot tell me that would not stop this "moron" - particularly if they really are a "moron".
 
1 members found this post helpful.
Old 08-28-2019, 07:32 AM   #15
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 22,235

Rep: Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973Reputation: 5973
Quote:
Originally Posted by lynxlyon2 View Post
basically, when my passwords, etc are retrieved, the hacker has to be in my system and modify files, add files, change them, etc.

he just might leave a piece of himself behind as well, or at the very least, i'd know which system files he messed with. I did some googling and found Linux Audit, but at this point, I barely have control of my own system.
Much like your other threads under your other three accounts??

Again, you string together *JUST ENOUGH* technical words to make it sound like something, but you just don't make sense. And still, you are providing NO EVIDENCE of any 'hacker' getting in to your system, aside from wild assertions.
  • How do you know your passwords are 'retrieved'??
  • You claim to 'barely have control' of your own system...how about telling us what it's doing? (kind of odd that this 'moron hacker' who can get into your wifi in less than 10 seconds will let you DO Google searches for how to get rid of them, don't you think?)
  • (from your other thread) "He can get in in under 10 seconds by now. I think he infected my router and re-routed us." ("Re-routed"?? What does that mean??)
And now you're using ParrotOS (from your other thread), because you asserted that Kali was 'bugged', and the mafia was somehow involved.

At what point are you going to provide actual evidence of anything? ANY log files/proof??? You are asking for technical assistance, so it is not unfair to ask what the actual symptoms are, besides speculation and paranoia.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Technology Changes Us, Changes Society, and Changes Governments LXer Syndicated Linux News 0 10-10-2016 03:00 PM
how to make my root system behave like a live system but preserve changes when shutdown? ahmed.alamassi Linux - Newbie 2 04-18-2016 03:42 PM
Intercept frequency changes and C states changes klub Linux - Kernel 1 03-25-2011 05:43 PM
Changes to /etc files revert changes after reboot yeahya Linux - General 2 11-22-2010 09:42 PM
alsamixer changes emu10k1 levels everytime xmms changes songs sulzla Linux - Software 0 06-30-2003 12:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration