[TriLUG] Have I been compromised?

lfwelty lfwelty at redback.com
Thu May 23 15:30:03 EDT 2002 

Ed Hill wrote:
> 
<cut> 
> And as a counter to Tanner's paranoia, let me offer some data points.  I
> have more than a half-dozen mostly default Red Hat Linux boxes plugged
> in to two *campus* (notorious for frequent break-ins) networks even as I
> type this email.  They are a mix of RH 7.1, 7.2, and 7.3.  I had *one*
> break-in problem back with the RH 6.x series when, by default, all sorts
> of services were turned on and there was no (default) firewall.
<cut> 

And as a further anecdotal datapoint. I started logging attempts on
my cable modem network - I'm hit about 10 times/day.... How many of
these are real attacks and how many are simply port scans? Dunno.
AFAIK I haven't been hacked. I check my logs routinely and actualy
tail -f some of them. 

I thought that I had been hacked once, but it was portsentry openning
everything up on my box...:*(  Scared the hell out of me tho.  The
risk assessment is a good point to be considered. Evaluate what could
be taken should someone gain access.

Another point to consider (as it was prevented to me). I don't have
to run faster than the lion, I just have to run faster than you...;)
No system is completely secure, you just want to make yours an
unattractive target.

> So back to the original point:
> 
>   - you don't really know if you've been hacked unless you are
>     running something like Tripwire or similar or if you manage
>     to find some actual evidence
> 
>   - you can use the RPM database as a quick check (if you trust
>     it) to see what files have been modified:
> 
>       rpm -qa | xargs rpm -V
> 
>     This is very helpful for locating "root kits" that install
>     modified versions of common commands like ls, ps, etc.

Triggered memory.

Check Root Kit:
http://www.chkrootkit.org/

This is pretty good. But still, you have to evaluate the system
as a whole. And you cannot trust any individual tool to give you
the complete truth. Remember that your tools can be lying to you
if they've been compromised.

F.

> 
>   - you can dig through the logs in /var but, as Chris mentioned,
>     logs can be erased/modified by a successful attacker
> 
> hth,
> Ed
> 
> --
> Edward H. Hill III, PhD    |  Email:       ed at eh3.com, ehill at mines.edu
> Post-Doctoral Researcher   |  URLs:        http://www.eh3.com
> Division of ESE            |   http://wasser.mines.edu/people/edhill.php
> Colorado School of Mines   |  Phone:       303-273-3483
> Golden, CO  80401          |  Fax:         303-273-3311
> Key fingerprint = 5BDE 4DA1 66BE 4F7B BC17  3A0C 932B 7266 1E76 F123
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

-- 
------------------------------------------------------------------
Frank Welty                |  15401 Weston Parkway, Suite 150
lfwelty at redback.com        |  Cary, NC 27513
Redback Networks           |  desk:919.678.2175 m: 919.264.7495
------------------------------------------------------------------

More information about the TriLUG mailing list