Link to home
Start Free TrialLog in
Avatar of secret_boy
secret_boy

asked on

Linux hacked

Dear Experts,

I suspend that my Linux machine was hacked by someone.

Some of my bin files are changed and the permission is quite strange, say some are changed to UID with 500, which is definitely not a user in my account.

One of my friends is also suffer from that attack, but he said he just recover the machine by copying the bin files from another machine one by one, but I think it's really trouble and unclean.

Do you have any converient solutions? (except reinstalling the machine)
p.s. my machine works fine..........except some bin files are changed.

Thank you!
Avatar of elbereth21
elbereth21
Flag of Italy image
You can configure this policy:
computer configuration\windows settings\security settings\local policies\User rights assignment
Look also here:
http://www.jsifaq.com/subm/tip6100/rh6131.htm
Hope it helps, Elbereth
Avatar of elbereth21
elbereth21
Flag of Italy image
I am really sorry, wrong (Quick) post
Avatar of rindi
rindi
Flag of Switzerland image
UserID 500 normaly is the first user created after root, so this is likeley a legitimate user. Maybe this user had root privileges which would have allowed him to install programs to /bin, and possibly later he got deleted.
Avatar of secret_boy
secret_boy

ASKER

Thanks for ur quick reply. I don't think it's a legitimate user.
As my bin files are changed and protected by someone.

I may give u more details:

Months ago, my machine has been totally compromised by someone.(I dont' know whether it is related to this incidence)All my services, etc are cracked, fortunatelly, I have a backup a week ago and recover it with that copy.

After recovering the machine, it works fine. Some weeks later, my friend reminded me to double check with other bin files, which may be changed by someone, and some of them have been changed.

Would you tell me how to check and scan over which files are changed?
Avatar of rindi
rindi
Flag of Switzerland image
Sorry, that I wouldn't know. I think we'll have to wait for someone else to help.
SOLUTION
Avatar of al-hasan
al-hasan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kneH
kneH
In addition to the above:
seeing it happened before...

You have something which can be (easily) compromised.

Patch, update etc
and get a firewall set up properly.
Avatar of Joe
Joe
Flag of United States of America image
I am not too familiar with linux but isnt there some sort of log files you can check to catch this?
SOLUTION
Avatar of edkim80
edkim80
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of yuzh
yuzh
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of slickuk
slickuk
Yes, I know you don't want to hear it, but the only thing to do when you have been compromised in linux is to do a clean install.  Wipe everything and restore ONLY the backup data files etc, no bins or anything like that.  Make sure you keep your OS up to date with security patches in the future, and install a good firewall. Install a program called tripwire.  This will do what you are requesting now.  It checks all the sensitive files on your system when it is ran, then in future you can run tripwire and it will tell you if any of these files have been modified from the files that were listed when you made a clean install.  Of course, if you update your system in anyway you need to tell tripwire YOU have changed the sensitive files and not a malicious hacker.

Good luck in future
Avatar of secret_boy
secret_boy

ASKER

Thank you very much for you guys' valuable opinions.