Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Our system was hacked
Special Forums Cybersecurity Our system was hacked Post 303037161 by MadeInGermany on Thursday 25th of July 2019 03:13:26 AM
Old 07-25-2019
Look in root's homedir for .history .bash_history or similar files.
Run the history command in the respective shell(s).

Ordinary system logins are listed with the last command.

Consult the system logs, for system access and unusual events.
Is there a su or sudo log in /var/log/ or /var/adm/?
Do you happen to have system accounting (sa) running?

Run netstat -a and look for LISTEN; what services are running that use the ports?
Do these services have extra logs?

How good is your root pw? The longer the better.
Did you switch from the 13byte Unix crypt to another crypt that allows longer pws?

Are you sure your system was hacked at all?
Maybe there was a fatal human error like
Code:
tar cf - dir | tar xf -

where the read files are already opened for writing, and such data corruptions can occur.
This User Gave Thanks to MadeInGermany For This Post:
drl
 

3 More Discussions You Might Find Interesting

1. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

2. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

3. Cybersecurity

Server hacked on known port

Hi, There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on : # /etc/init.d/iptables status Table: nat Chain PREROUTING (policy ACCEPT) num ... (7 Replies)
Discussion started by: anaigini45
7 Replies

LEARN ABOUT OSF1

db_recover

db_recover(8)						      System Manager's Manual						     db_recover(8)

NAME

       db_recover - Restores the database to a consistent state (Enhanced Security)

SYNOPSIS

       /usr/tcb/bin/db_recover [-cv] [-h home]

FLAGS

       Failure	was  catastrophic.   Specify  a  home  directory for the database.  The correct directory for enhanced security is /var/tcb/files.
       Write out the pathnames of all of the database log files, whether or not they are involved in active transactions.  Run in verbose mode.

DESCRIPTION

       A customized version of the Berkeley Database (Berkeley DB) is embedded in the operating system to provide high-performance  database  sup-
       port  for  critical security files.  The DB includes full transactional support and database recovery, using write-ahead logging and check-
       pointing to record changes.

       The db_recover utility runs after an unexpected system failure to restore the security database	to  a  consistent  state.   All  committed
       transactions  are  guaranteed  to  appear after db_recover has run, and all uncommitted transactions are completely undone.  DB recovery is
       normally performed automatically for the security files as part of system startup.

       In the case of catastrophic failure, an archival copy, or snapshot of all database files must be restored along with all of the	log  files
       written since the database file snapshot was made.  (If disk space is a problem, log files may be referenced by symbolic links).

       If the failure was not catastrophic, the files present on the system at the time of failure are sufficient to perform recovery.

       If  log	files  are missing, db_recover identifies the missing log files and fails, in which case the missing log files need to be restored
       and recovery performed again.

       The db_recover utility attaches to one or more of the Berkeley DB shared memory regions.  In order to avoid region  corruption,	it  should
       always be given the chance to detach and exit gracefully.  To cause db_recover to clean up after itself and exit, send it an interrupt sig-
       nal (SIGINT).

RETURN VALUES

       The db_recover utility exits 0 on success, and >0 if an error occurs.

ENVIRONMENT VARIABLES

       If the -h option is not specified and the environment variable DB_HOME is set, it is used as the path  of  the  database  home.	 The  home
       directory for security is /var/tcb/files.

FILES

       /var/tcb/files/auth.db

       /var/tcb/files/dblogs/*

RELATED INFORMATION

       Commands: db_archive(8), db_checkpoint(8), db_printlog(8), db_dump(8), db_load(8), db_stat(8), secconfig(8) delim off

																     db_recover(8)
All times are GMT -4. The time now is 09:46 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy