On Tue, Aug 18, 2009, Scott Ehrlich wrote:
>There is a lot of talk about the vulnerable Linux kernel. I'm simply
>wondering the telltale signs if a given system has been hacked?
>What, specifically, does a person look for?
To really know whether a system has been hacked, it's necessary
to use something like Tripwire or Aide, taking a baseline before
the system is put on-line, and continually monitoring for changes.
By using the 6 P's (Prior Planning Prevents Piss-Poor Performance)
it's possible to detect crackages, and even to restore a system
without a complete reinstall as good intrusion detection tools
which find changed files as well as new files that crackers have
added, or files that have gone missing.
It's also a good idea to check for executables in places they
normally shouldn't be, /tmp, /dev/shm on SuSE systems, /var/tmp,
and similar directories where crackers like to hide their work.
Often these executes will be in directories with names like ``.. ''
(note the trailing space) that look legitimate.
There's one crack that adds lines to /etc/inittab to run
something called ``ttymon'' that looks reasonable if (a) you
don't notice that the file has changed, and (b) don't have a
backup to compare it to.
You cannot trust tools like ``ps'', ``find'', ``netstat'', and
``lsof'' as these are frequently replaced by ones that are
modified to hide the cracker's work.
Bill
--
INTERNET: bill@xxxxxxxxxxxxx Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792
The most serious doubt that has been thrown on the authenticity of the
biblical miracles is the fact that most of the witnesses in regard to
them were fishermen. -- Arthur Binstead
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
