Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


RedHat Server Security Thread

Posted on 2007-04-01
Medium Priority
Last Modified: 2013-12-06
RedHat Linux 9.0
I think my system is being hacked.  
I saw the  .bash_profile under root have the lines as follows:

# User specific environment and startup programs

I see this differently in other linux box:
export PATH

Can somebody explain what the lines mean ?
Question by:ChanYiuPong
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 48

Expert Comment

ID: 18833987
There's nothing in the .bash_profile that would indicate you have been hacked.  It's a perfectly acceptable profile, except that there's no need to manually set USERNAME
LVL 11

Expert Comment

ID: 18837529
In order to avoid spectulation on such things, you should install and run "chkrootkit" which checks many known methods to see if the system is compromised. You can get the progrem via Yum with 'yum install chkrootkit' or download and compile it from souce. See the home site at 

Here is a good tutorial on installing and using chkrootkit

Author Comment

ID: 18944688
Question abandon.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

LVL 11

Expert Comment

ID: 18947474
Even though you abandoned the question, you received very legitimate answers.

Author Comment

ID: 18951197
well, you give me an article on chkrootkit
But you do not provide the information on what the lines differ means.
Still everyday the server being placed with phlishing sites.
LVL 11

Accepted Solution

kblack05 earned 1500 total points
ID: 18960071
Editing the pages will not clear the trojan, and will not fix the problem. First you need to determine how the system was comprimised. If you edit or attempt to repair the system while someone still has rougue access then they will know you are on to them, and may just decide to format the server on their way out the door.

Please download chkrootkit from the url above, run it, and see if the system is in fact infected.

The differences are probably to force the server to use an alternate command directory, the one containing the infected executables.

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question