Look in root's homedir for .history .bash_history or similar files.
Run the history command in the respective shell(s).
Ordinary system logins are listed with the last command.
Consult the system logs, for system access and unusual events.
Is there a su or sudo log in /var/log/ or /var/adm/?
Do you happen to have system accounting (sa) running?
Run netstat -a and look for LISTEN; what services are running that use the ports?
Do these services have extra logs?
How good is your root pw? The longer the better.
Did you switch from the 13byte Unix crypt to another crypt that allows longer pws?
Are you sure your system was hacked at all?
Maybe there was a fatal human error like
where the read files are already opened for writing, and such data corruptions can occur.
This User Gave Thanks to MadeInGermany For This Post:
Hi,
i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply,
i think someone has put an script which generates enables the rules.
But after restarting the iptables everything seems to be working... (0 Replies)
One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage.
The more sophisticated the hacker, the less likely... (8 Replies)
Hi,
There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on :
# /etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num ... (7 Replies)