[TriLUG] Have I been compromised?

Mike Helms Mike.Helms at martinmarietta.com
Thu May 23 15:42:35 EDT 2002 

Hi everyone,

A word about security on broadband internet.

When I lived in Western Canada I worked for Shaw Cable in their internet
department.  I literally watched systems on the network get dismantled by
hackers, and on some days I would log over a hundred unique hack attempts on
my own personal box.

In my early days with the cable company, I happened to be setting up a
Windows NT 4.0 box to run as a small web app server.  In the small space of
time between installing the OS and getting the service packs in place (no
more than an hour, and probably more along the lines of 20 to 30 minutes), I
logged 8 (yes, eight) successful hacks into my box.  I ended up having to
reformat the drive, reinstall OFF the network, and install all of the
service packs, critical updates and patches, and the firewall before
plugging it into the network again.  When I did, I almost immediately
watched my firewall logs grow.

Obviously I have less experience with Linux and my anecdotes have the
numbers they do, in part, because of the fact that they concern Microsoft
Windows.  However, I suspect the same trends would hold true (with smaller
numbers, perhaps) with any distribution of Linux.  Linux may see fewer
hacks, but what does it really take?  One successful hack could wipe out a
potentially important box, and all the statistics in the world won't help at
that point.

Cheers,
-- Mike Helms

-----Original Message-----
From: lfwelty [mailto:lfwelty at redback.com]
Sent: Thursday, May 23, 2002 3:30 PM
To: trilug at trilug.org
Subject: Re: [TriLUG] Have I been compromised?


Ed Hill wrote:
> 
<cut> 
> And as a counter to Tanner's paranoia, let me offer some data points.  I
> have more than a half-dozen mostly default Red Hat Linux boxes plugged
> in to two *campus* (notorious for frequent break-ins) networks even as I
> type this email.  They are a mix of RH 7.1, 7.2, and 7.3.  I had *one*
> break-in problem back with the RH 6.x series when, by default, all sorts
> of services were turned on and there was no (default) firewall.
<cut> 

And as a further anecdotal datapoint. I started logging attempts on
my cable modem network - I'm hit about 10 times/day.... How many of
these are real attacks and how many are simply port scans? Dunno.
AFAIK I haven't been hacked. I check my logs routinely and actualy
tail -f some of them. 

I thought that I had been hacked once, but it was portsentry openning
everything up on my box...:*(  Scared the hell out of me tho.  The
risk assessment is a good point to be considered. Evaluate what could
be taken should someone gain access.

Another point to consider (as it was prevented to me). I don't have
to run faster than the lion, I just have to run faster than you...;)
No system is completely secure, you just want to make yours an
unattractive target.

> So back to the original point:
> 
>   - you don't really know if you've been hacked unless you are
>     running something like Tripwire or similar or if you manage
>     to find some actual evidence
> 
>   - you can use the RPM database as a quick check (if you trust
>     it) to see what files have been modified:
> 
>       rpm -qa | xargs rpm -V
> 
>     This is very helpful for locating "root kits" that install
>     modified versions of common commands like ls, ps, etc.

Triggered memory.

Check Root Kit:
http://www.chkrootkit.org/

This is pretty good. But still, you have to evaluate the system
as a whole. And you cannot trust any individual tool to give you
the complete truth. Remember that your tools can be lying to you
if they've been compromised.

F.

> 
>   - you can dig through the logs in /var but, as Chris mentioned,
>     logs can be erased/modified by a successful attacker
> 
> hth,
> Ed
> 
> --
> Edward H. Hill III, PhD    |  Email:       ed at eh3.com, ehill at mines.edu
> Post-Doctoral Researcher   |  URLs:        http://www.eh3.com
> Division of ESE            |   http://wasser.mines.edu/people/edhill.php
> Colorado School of Mines   |  Phone:       303-273-3483
> Golden, CO  80401          |  Fax:         303-273-3311
> Key fingerprint = 5BDE 4DA1 66BE 4F7B BC17  3A0C 932B 7266 1E76 F123
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

-- 
------------------------------------------------------------------
Frank Welty                |  15401 Weston Parkway, Suite 150
lfwelty at redback.com        |  Cary, NC 27513
Redback Networks           |  desk:919.678.2175 m: 919.264.7495
------------------------------------------------------------------
_______________________________________________
TriLUG mailing list
    http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ:
    http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list