Linux hacked

Dear Experts,

I suspend that my Linux machine was hacked by someone.

Some of my bin files are changed and the permission is quite strange, say some are changed to UID with 500, which is definitely not a user in my account.

One of my friends is also suffer from that attack, but he said he just recover the machine by copying the bin files from another machine one by one, but I think it's really trouble and unclean.

Do you have any converient solutions? (except reinstalling the machine)
p.s. my machine works fine..........except some bin files are changed.

Thank you!
Who is Participating?
yuzhConnect With a Mentor Commented:
To figure out what files had been replaced by the hacker is very time consume process.

  I suggest that you perform a fresh OS installed, and install firewall to your box, turn off
all the unwanted services, close the ports to the outside of the world.

  Please read http:Q_20540243.html

  To learn more details.
You can configure this policy:
computer configuration\windows settings\security settings\local policies\User rights assignment
Look also here:
Hope it helps, Elbereth
I am really sorry, wrong (Quick) post
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

UserID 500 normaly is the first user created after root, so this is likeley a legitimate user. Maybe this user had root privileges which would have allowed him to install programs to /bin, and possibly later he got deleted.
secret_boyAuthor Commented:
Thanks for ur quick reply. I don't think it's a legitimate user.
As my bin files are changed and protected by someone.

I may give u more details:

Months ago, my machine has been totally compromised by someone.(I dont' know whether it is related to this incidence)All my services, etc are cracked, fortunatelly, I have a backup a week ago and recover it with that copy.

After recovering the machine, it works fine. Some weeks later, my friend reminded me to double check with other bin files, which may be changed by someone, and some of them have been changed.

Would you tell me how to check and scan over which files are changed?
Sorry, that I wouldn't know. I think we'll have to wait for someone else to help.
al-hasanConnect With a Mentor Commented:
"Do you have any converient solutions? (except reinstalling the machine)"

secret_boy: Forgive me for being rude, but if a system got hacked, and unless one knows exactly what has been changed (f.ex. through some intrusion detection system), a new installation is the only reliable way.

"p.s. my machine works fine..........except some bin files are changed."

This is typical that a hacker, at least a good one, wants to use this computer to his advantage. So few changes will be made, but he can use it as a base for further hacking, bringing trouble for you if he gets traced back to your server.

If you do not want to do the whole configuration again, save the config files from /etc and copy them into your new installation.

Another possibility is a repair installation after deleting the bin and sbin folders, and the lib part too. Sometimes it works, sometimes not - I recommend you the new installation. Why did your computer get hacked, do you offer any server services? Most new distros have a firewall included, which when activated is rather powerful and safe.

In addition to the above:
seeing it happened before...

You have something which can be (easily) compromised.

Patch, update etc
and get a firewall set up properly.
I am not too familiar with linux but isnt there some sort of log files you can check to catch this?
edkim80Connect With a Mentor Commented:
if you used rpm's to install these bin files... you can check and see if they have been changed since they've been installed.

rpm -qf /bin/file
this will tell you the package.
rpm -Vv packagename
will show you a bunch of files with dots to the left

Size, Mode(permissions), MD5sum, Device, readLink mismatch, User ownership differs, Group ownership differs, mTime differs.

if you see
S.5....T = size, md5sum, mTime differs from time of install.

hope this helps
Yes, I know you don't want to hear it, but the only thing to do when you have been compromised in linux is to do a clean install.  Wipe everything and restore ONLY the backup data files etc, no bins or anything like that.  Make sure you keep your OS up to date with security patches in the future, and install a good firewall. Install a program called tripwire.  This will do what you are requesting now.  It checks all the sensitive files on your system when it is ran, then in future you can run tripwire and it will tell you if any of these files have been modified from the files that were listed when you made a clean install.  Of course, if you update your system in anyway you need to tell tripwire YOU have changed the sensitive files and not a malicious hacker.

Good luck in future
secret_boyAuthor Commented:
Thank you very much for you guys' valuable opinions.
All Courses

From novice to tech pro — start learning today.