====== Root Login Detection ======

http://web.archive.org/web/20080109214340/http://www.cert.org/tech_tips/intruder_detection_checklist.html

===== Linux =====

You can use these commands to check your Linux server for root logins. You cannot trust these commands to definitively show that your server has not been hacked or cracked as careful crackers may manipulate the output shown.

==== Check a Linux Server for Root Logins ====

The ''last'' command uses the ''utmp'' and ''wtmp'' files to display login history.

<file>
last
</file>

The ''lastb'' command shows failed login attempts.

<file>
lastb
</file>

This will show successful logins. There are always lots of unsuccessful ones.

<file>
cat /var/log/messages.*|grep Accepted
</file> 

or

<file>
cat /var/log/secure.*|grep Accepted
</file>

This will do a reverse-lookup on an IP address to check an unknown login:

<file>
dig -x xxx.xxx.xxx.xxx
</file>

This will lookup a domain that you might be curious about.

<file>
whois domain.com
</file>

==== Linux Malware Detect ====

http://www.limecanvas.com/installing-linux-malware-detect-centos-6-vps/

http://www.tecmint.com/install-linux-malware-detect-lmd-in-rhel-centos-and-fedora/

==== Root Kit Hunter ====

http://daniel-farm.com/install-linux-rkhunter-rootkit-hunter-rhel-centos-fedora/

http://www.tecmint.com/install-linux-rkhunter-rootkit-hunter-in-rhel-centos-and-fedora/

http://hackingbuzz.com/hunt-rootkits-with-rootkit-hunter-tool/

<file>
yum install rkhunter

rkhunter --update
rkhunter --propupd
rkhunter --help
rkhunter --check
</file>