Linux hacked

Posted on 2005-05-10
Last Modified: 2013-11-15
Dear Experts,

I suspend that my Linux machine was hacked by someone.

Some of my bin files are changed and the permission is quite strange, say some are changed to UID with 500, which is definitely not a user in my account.

One of my friends is also suffer from that attack, but he said he just recover the machine by copying the bin files from another machine one by one, but I think it's really trouble and unclean.

Do you have any converient solutions? (except reinstalling the machine)
p.s. my machine works fine..........except some bin files are changed.

Thank you!
Question by:secret_boy
    LVL 11

    Expert Comment

    You can configure this policy:
    computer configuration\windows settings\security settings\local policies\User rights assignment
    Look also here:
    Hope it helps, Elbereth
    LVL 11

    Expert Comment

    I am really sorry, wrong (Quick) post
    LVL 87

    Expert Comment

    UserID 500 normaly is the first user created after root, so this is likeley a legitimate user. Maybe this user had root privileges which would have allowed him to install programs to /bin, and possibly later he got deleted.

    Author Comment

    Thanks for ur quick reply. I don't think it's a legitimate user.
    As my bin files are changed and protected by someone.

    I may give u more details:

    Months ago, my machine has been totally compromised by someone.(I dont' know whether it is related to this incidence)All my services, etc are cracked, fortunatelly, I have a backup a week ago and recover it with that copy.

    After recovering the machine, it works fine. Some weeks later, my friend reminded me to double check with other bin files, which may be changed by someone, and some of them have been changed.

    Would you tell me how to check and scan over which files are changed?
    LVL 87

    Expert Comment

    Sorry, that I wouldn't know. I think we'll have to wait for someone else to help.
    LVL 6

    Assisted Solution

    "Do you have any converient solutions? (except reinstalling the machine)"

    secret_boy: Forgive me for being rude, but if a system got hacked, and unless one knows exactly what has been changed (f.ex. through some intrusion detection system), a new installation is the only reliable way.

    "p.s. my machine works fine..........except some bin files are changed."

    This is typical that a hacker, at least a good one, wants to use this computer to his advantage. So few changes will be made, but he can use it as a base for further hacking, bringing trouble for you if he gets traced back to your server.

    If you do not want to do the whole configuration again, save the config files from /etc and copy them into your new installation.

    Another possibility is a repair installation after deleting the bin and sbin folders, and the lib part too. Sometimes it works, sometimes not - I recommend you the new installation. Why did your computer get hacked, do you offer any server services? Most new distros have a firewall included, which when activated is rather powerful and safe.

    LVL 12

    Expert Comment

    In addition to the above:
    seeing it happened before...

    You have something which can be (easily) compromised.

    Patch, update etc
    and get a firewall set up properly.
    LVL 16

    Expert Comment

    I am not too familiar with linux but isnt there some sort of log files you can check to catch this?
    LVL 8

    Assisted Solution

    if you used rpm's to install these bin files... you can check and see if they have been changed since they've been installed.

    rpm -qf /bin/file
    this will tell you the package.
    rpm -Vv packagename
    will show you a bunch of files with dots to the left

    Size, Mode(permissions), MD5sum, Device, readLink mismatch, User ownership differs, Group ownership differs, mTime differs.

    if you see
    S.5....T = size, md5sum, mTime differs from time of install.

    hope this helps
    LVL 38

    Accepted Solution

    To figure out what files had been replaced by the hacker is very time consume process.

      I suggest that you perform a fresh OS installed, and install firewall to your box, turn off
    all the unwanted services, close the ports to the outside of the world.

      Please read http:Q_20540243.html

      To learn more details.

    Expert Comment

    Yes, I know you don't want to hear it, but the only thing to do when you have been compromised in linux is to do a clean install.  Wipe everything and restore ONLY the backup data files etc, no bins or anything like that.  Make sure you keep your OS up to date with security patches in the future, and install a good firewall. Install a program called tripwire.  This will do what you are requesting now.  It checks all the sensitive files on your system when it is ran, then in future you can run tripwire and it will tell you if any of these files have been modified from the files that were listed when you made a clean install.  Of course, if you update your system in anyway you need to tell tripwire YOU have changed the sensitive files and not a malicious hacker.

    Good luck in future

    Author Comment

    Thank you very much for you guys' valuable opinions.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
    Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now