Ask Your Question
2

suspected system invasion

asked 2019-02-25 11:41:19 -0500

equus gravatar image

Hello! I don't know what to do. I think my system is being used by someone else. I signed in as a normal user and I opened a terminal window, then I tried to use "su" command but the password is not recognized. I can't su in the system and I'm 100% sure that my password is correct but I can't su. How do I know if someone invaded my system?

edit retag flag offensive close merge delete

Comments

Has it ever worked?

villykruse gravatar imagevillykruse ( 2019-02-25 13:31:41 -0500 )edit
1

su requires the root password, not your user's password. have you ever set a root password? you can type sudo su (then type your user's password) to get a root console. There you can change root's password (passwd) and examine your system. stuff like top and htop will help you identify processes that are unwanted. i.e. Cryptominer will keep your CPU busy.

florian gravatar imageflorian ( 2019-02-25 14:16:21 -0500 )edit
1

top,htop,ps,pstree will show, whatever the rootkit wants it to show. A system can not be tested for a root hack while it is started from a tampered installation. You need a SECURE / untampered source for your boot. if it is "just" an unwanted process, keep it running, and let someone expirienced examine it. Otherwise you will miss important informations where it may have been installed to or started from.

rdtcustomercare gravatar imagerdtcustomercare ( 2019-02-26 16:39:01 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
2

answered 2019-02-25 14:07:22 -0500

tricky question, because when you got hacked and the hacker got root permissions, he could install any rootkit to hide his activities.

  1. Download an ISO Image of Fedora.

  2. Burn it on a usb stick (1+2 can be done on a different pc to avoid contermination)

  3. Boot from the stick
  4. open GNOME-DISKS and mount your systemdrive
  5. check /tmp/ of your systemdisk for hidden directories, which where not present when you booted your pc from your local disks.
  6. Check /root/ too
  7. check /etc/passwd /etc/group files for additions accounts with UID=0 aka root permissions.
  8. check /var/log/secure for valid logins from external ips. usually that is not possible, because your dsl/cable modem does not forward the ssh port to your pc.

if you found something, call the cops or someoneelse who can analyse how they got in.

If you did not find anything, you just misstyped your password. As your now on it, open a terminal (you will have one open already) and enter:

chroot /path/to/mounted/systemdisk

passwd

2x enter your new password

if it wants the old one, abort and edit /etc/shadow:

change the line

root:$oiweur93847953757f8uoujoigjv.......:.....

to

root::.....

means, remove the content between the first 2 : .

now use password again and enter your new root password.

reboot from disk. Done.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-02-25 11:41:19 -0500

Seen: 63 times

Last updated: Feb 25