Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Our system was hacked
Special Forums Cybersecurity Our system was hacked Post 303037161 by MadeInGermany on Thursday 25th of July 2019 03:13:26 AM
Old 07-25-2019
Look in root's homedir for .history .bash_history or similar files.
Run the history command in the respective shell(s).

Ordinary system logins are listed with the last command.

Consult the system logs, for system access and unusual events.
Is there a su or sudo log in /var/log/ or /var/adm/?
Do you happen to have system accounting (sa) running?

Run netstat -a and look for LISTEN; what services are running that use the ports?
Do these services have extra logs?

How good is your root pw? The longer the better.
Did you switch from the 13byte Unix crypt to another crypt that allows longer pws?

Are you sure your system was hacked at all?
Maybe there was a fatal human error like
Code:
tar cf - dir | tar xf -

where the read files are already opened for writing, and such data corruptions can occur.
This User Gave Thanks to MadeInGermany For This Post:
drl
 

3 More Discussions You Might Find Interesting

1. Linux

pc hacked

Hi, i think someone has hacked my server, the following rules used to come which i haven't put. Please help me i couldnt find out how this rules are apply, i think someone has put an script which generates enables the rules. But after restarting the iptables everything seems to be working... (0 Replies)
Discussion started by: naik_mit
0 Replies

2. Cybersecurity

How to know when you've been hacked

One of the most important ways to keep tou machine secure is to know when it has been broken into. The less time hackers have on your system, the less they can do to it, and the greater you chancens of kicking them off and repairing the damage. The more sophisticated the hacker, the less likely... (8 Replies)
Discussion started by: binhnx2000
8 Replies

3. Cybersecurity

Server hacked on known port

Hi, There is a recent case whereby it was reported that one of the production servers was hacked on port 1521. However, I am not sure how this was possible, as I checked that the OS firewall (iptables) is on : # /etc/init.d/iptables status Table: nat Chain PREROUTING (policy ACCEPT) num ... (7 Replies)
Discussion started by: anaigini45
7 Replies

LEARN ABOUT OSF1

db_printlog

db_printlog(8)						      System Manager's Manual						    db_printlog(8)

NAME

       db_printlog - Displays database log file (Enhanced Security)

SYNOPSIS

       /usr/tcb/bin/db_printlog [-h home]

FLAGS

       Specify a home directory for the database.  The correct directory for enhanced security is /var/tcb/files.

DESCRIPTION

       A  customized  version of the Berkeley Database (Berkeley DB) is embedded in the operating system to provide high-performance database sup-
       port for critical security files.  The DB includes full transactional support and database recovery, using write-ahead logging  and  check-
       pointing to record changes.

       The db_printlog utility provides a way to view the log file associated with the security database.

RETURN VALUES

       The db_printlog utility exits 0 on success, and >0 if an error occurs.

ENVIRONMENT VARIABLES

       If  the	-h  option  is	not  specified and the environment variable DB_HOME is set, it is used as the path of the database home.  The home
       directory for security is /var/tcb/files.

FILES

       /var/tcb/files/auth.db

       /var/tcb/files/dblogs/*

RELATED INFORMATION

       Commands: db_checkpoint(8), db_recover(8), db_stat(8) delim off

																    db_printlog(8)
All times are GMT -4. The time now is 06:03 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy