Home » Centos/RHEL » How to check if You were ‘rooted’

How to check if You were ‘rooted’

This tutorial will tell you that How to find if you have been rooted

#ls -la /lib64/libkeyutils.so.1.9

#rpm -qf /lib64/libkeyutils.so.1.9

#ls -la /lib/libkeyutils.so.1.9

#rpm -qf /lib/libkeyutils.so.1.9

Those files should not exist.

or:

#updatedb” && locate libkeyutils.so.1.9

There should be no output:

[rootl@localhost ~]# updatedb && locate libkeyutils.so.1.9
Password:
[rootl@localhost ~]#

Backdoor analysis – is it a 0day attack?

One of the reddit users analyzed the file and found encoded IP in it:

#./audit libkeyutils.so.1.9 output
# strings output |grep -Eo ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’
192.168.1.2

If you get the above output that means your server is compromised.

About

I am founder and webmaster of www.linuxpcfix.com and working as a Sr. Linux Administrator (Expertise on Linux/Unix & Cloud Server) and have been in the industry from last 7 years.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*

Time limit is exhausted. Please reload the CAPTCHA.

Categorized Tag Cloud