Ask Your Question

suspected system invasion

asked 2019-02-25 11:41:19 -0600

equus gravatar image

Hello! I don't know what to do. I think my system is being used by someone else. I signed in as a normal user and I opened a terminal window, then I tried to use "su" command but the password is not recognized. I can't su in the system and I'm 100% sure that my password is correct but I can't su. How do I know if someone invaded my system?

edit retag flag offensive close merge delete


Has it ever worked?

villykruse gravatar imagevillykruse ( 2019-02-25 13:31:41 -0600 )edit

su requires the root password, not your user's password. have you ever set a root password? you can type sudo su (then type your user's password) to get a root console. There you can change root's password (passwd) and examine your system. stuff like top and htop will help you identify processes that are unwanted. i.e. Cryptominer will keep your CPU busy.

florian gravatar imageflorian ( 2019-02-25 14:16:21 -0600 )edit

top,htop,ps,pstree will show, whatever the rootkit wants it to show. A system can not be tested for a root hack while it is started from a tampered installation. You need a SECURE / untampered source for your boot. if it is "just" an unwanted process, keep it running, and let someone expirienced examine it. Otherwise you will miss important informations where it may have been installed to or started from.

rdtcustomercare gravatar imagerdtcustomercare ( 2019-02-26 16:39:01 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-02-25 14:07:22 -0600

tricky question, because when you got hacked and the hacker got root permissions, he could install any rootkit to hide his activities.

  1. Download an ISO Image of Fedora.

  2. Burn it on a usb stick (1+2 can be done on a different pc to avoid contermination)

  3. Boot from the stick
  4. open GNOME-DISKS and mount your systemdrive
  5. check /tmp/ of your systemdisk for hidden directories, which where not present when you booted your pc from your local disks.
  6. Check /root/ too
  7. check /etc/passwd /etc/group files for additions accounts with UID=0 aka root permissions.
  8. check /var/log/secure for valid logins from external ips. usually that is not possible, because your dsl/cable modem does not forward the ssh port to your pc.

if you found something, call the cops or someoneelse who can analyse how they got in.

If you did not find anything, you just misstyped your password. As your now on it, open a terminal (you will have one open already) and enter:

chroot /path/to/mounted/systemdisk


2x enter your new password

if it wants the old one, abort and edit /etc/shadow:

change the line




means, remove the content between the first 2 : .

now use password again and enter your new root password.

reboot from disk. Done.

edit flag offensive delete link more

Question Tools


Asked: 2019-02-25 11:41:19 -0600

Seen: 77 times

Last updated: Feb 25 '19