[TriLUG] Have I been compromised?

[Andrew C. Oliver]

Some thoughts.

1. Most compromizes are not direct, they're by scripts running and looking
2. Most don't try to cover their trail that well
3. If you were compromised by someone who knew what they were doing, 
you'd probably never know except by your disk trashing and your nic 
light blinking like heck
4. Any new users in /etc/passwd, /etc/groups - is the date changed?
5. Any strange messages in or truncated /var/log/messages
6. Any strange hidden directories in /tmp (ls -la)
7. Do you keep up with your security patches? (if not then yes you've 
been hacked)

-Andy

Chris Merrill wrote:

> I've just read yet another story quoting that a default
> Red Hat installation placed on the Internet will be
> compromised within days.
>
> I have a RedHat 7.1 installation on TWC that has been
> up for more than a year.  It is not a default installation,
> since I usually don't install anything that I don't need.
> But I also did not take any extraordinary security
> measures (other than IPchains for firewall...since the
> computer also acts as the gateway for other computers).
>
> I am running a few services:
> - Postfix
> - Apache
> - Mailman
> - Samba (only for brief times when I want to move files
>   to/from a Windows box)
>
> I tried to turn off most other unneeded services.
> I occasionally (every 3-4 weeks) log in and check
> the logs to see if anyone else has logged in...but
> if they could get in, I would assume they would
> clean the logs.
>
> My question:
> How would I know if my system had been compromised?
>
>
> *********************************
> Chris Merrill
> cmerrill at nc.rr.com
> *********************************
>
> _______________________________________________
> TriLUG mailing list
>    http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>    http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>