-   Linux - Security (
-   -   Hackers (

consty 08-20-2004 03:19 PM

I would like to know the files a hacker can modify in my dns server under RedHat9. How can I trace ? Thanks for help.

SocialEngineer 08-20-2004 04:18 PM

If a hacker can gain root access, they can modify any file. Otherwise they are limited to the files available to whatever user they have shell access to.

masand 08-20-2004 05:02 PM


to see the tracks of any hacker u need to keep a tab on the utmp wtmp



RHLinuxGUY 08-20-2004 05:16 PM

Arent hackers realy called "crackers"? And a hacker is a person who messes with a programs sourcecode?

masand 08-20-2004 05:20 PM

it is the crackers that do some wrong work
hackers are those who posses good computer knowledge
nowadays we call anyonre comprimising a system a HACKER while they should be called crackers


SocialEngineer 08-20-2004 05:32 PM

Yeah. I got tired of correcting everybody on the difference between a hacker and cracker, so I just let them live in ignorance (since they forget it 5 seconds later anyway).

stickman 08-20-2004 05:43 PM


Originally posted by masand
to see the tracks of any hacker u need to keep a tab on the utmp wtmp files

This is not accurate. utmp and wtmp are written to by programs like, login, and other processes that use a login facility. Not all exploits are going to create an entry in these files. In addition, a user account with the appropriate access can "clean" these files. If you are simply waiting around for "hacker" (or some other equally recognizable username) to show up in your last output then you're probably going to miss them.

iceman47 08-20-2004 05:46 PM


Originally posted by SocialEngineer
Yeah. I got tired of correcting everybody on the difference between a hacker and cracker, so I just let them live in ignorance (since they forget it 5 seconds later anyway).
Nice to hear that, please refer to RFC1392 while doing so.

masand 08-20-2004 05:48 PM

other than these i think
u cannot see out for any tracks in the system
yes,, they can be cleaned and which erase the tracks of the hacker who had login in the machine,so if this happens they cannot be tracked

i do not think we have any other file to check out for login records


stickman 08-20-2004 05:57 PM

I think you're missing the point. A person who is breaking into a system is not always going to use a method that creates wtmp entries for you to see in last output. You need to rely on other methods besides watching two files. Other methods for detecting an intrusion include log entries, unusual files (ie rootkits), suddenly appearing processes or binaries, modified config files or binaries, etc. If your only method for detecting an intrusion is watching wtmp, then your chances of discovering an attact are severely impaired.

masand 08-20-2004 06:35 PM

hi there

looking out utmp/wtmp
happens to be the most classical way for looking out for hackers,it is true that we cannot entirely rely upon these,but the truth is we cannot be always sure after all the nethods we apply are sufficient to tracks hackers

also maybe we may catch out some one using these files also!

i think more on these can be tripwire,

i was just mentioned one way to check for the hackers
there are better ways also i agree on that....


iceman47 08-20-2004 07:07 PM

If you're hit by a guy or girl that really knows what he/she's doing, nothing but an integrity db
kept on non-removable media can help you.
Logfiles could be modified/erased, kernel backdoored, etc...
In other words, you can't trust your system anymore.

consty 08-23-2004 04:36 AM

Thanks everybody for the concern.
In addition I have been told that "monit" and "tripwire" are monitor tools that could help.

Capt_Caveman 08-23-2004 05:16 AM

Checking for file alteration is really something you should have done before your systems security has been compromised. Once someone has cracked your system and modifed/installed various files, it's entirely possible for them to access your machine at will without modifying any further files. You should always install something like tripwire, samhain,afick, etc immediately after installing and configuring your sysem, not after you believe someone has broken in.

You haven't really mentioned why you think the system has been compromised in the first place. Could you give us some specifics? Without much to go on, on a Redhat system (actually on any RPM system, you can verify the integrity of the packages by doing rpm -Va. Test for the presence of a rootkit by downloading and running chkrootkit and/or rootkit hunter. Check for abnormal SUID root files. Check /etc/passwd for new users or users other than root with a UID of 0. If that still doesn't turn up anything and you're are fairly convinced that it's been cracked, download a "Live" CD-rom based distro like Knoppix-STD or FIRE. Boot the system with the Live CD and mount the compromised file-system read-only. You can then look around the file system without worrying that anything has been hidden by a rootkit.

As a note about utmp/wtmp, this is a fairly in-effective way to identify intrusion, esp if used as your only means. Having a shell bound to a listening port or even a backdoored daemon can entirely bypass logging (as has been pointed out multiple times already). In fact, I've seen more intruders identified by the fact that wtmp had been modified or deleted entirely than by finding anomalous login entries there. That being said, I certainly would check it, however I wouldn't have much confidence in a clean utmp/wtmp.

consty 08-25-2004 04:02 PM

Thanks again,
In fact the system hanged at "INIT:Version 2.84 booting", booting from cd in rescue mode showed 2 new users named "hack" and "http" connected one day before the hangup with foreign IP address (who -u wtmp). In addition, the home directory of user hack contains a directory called "selena" which houses files like : assl, oops, pscan2, ssl, sslex, sslx, ssx, su, runer, etc ...

All times are GMT -5. The time now is 03:08 PM.