You can use these commands to check your Linux server for root logins. You cannot trust these commands to definitively show that your server has not been hacked or cracked as careful crackers may manipulate the output shown.
The last
command uses the utmp
and wtmp
files to display login history.
last
The lastb
command shows failed login attempts.
lastb
This will show successful logins. There are always lots of unsuccessful ones.
cat /var/log/messages.*|grep Accepted
or
cat /var/log/secure.*|grep Accepted
This will do a reverse-lookup on an IP address to check an unknown login:
dig -x xxx.xxx.xxx.xxx
This will lookup a domain that you might be curious about.
whois domain.com
http://www.limecanvas.com/installing-linux-malware-detect-centos-6-vps/
http://www.tecmint.com/install-linux-malware-detect-lmd-in-rhel-centos-and-fedora/
http://daniel-farm.com/install-linux-rkhunter-rootkit-hunter-rhel-centos-fedora/
http://www.tecmint.com/install-linux-rkhunter-rootkit-hunter-in-rhel-centos-and-fedora/
http://hackingbuzz.com/hunt-rootkits-with-rootkit-hunter-tool/
yum install rkhunter rkhunter --update rkhunter --propupd rkhunter --help rkhunter --check