[TriLUG] Have I been compromised?

Ed Hill ed at eh3.com
Thu May 23 15:18:37 EDT 2002 

On Thu, 2002-05-23 at 11:57, Tanner Lovelace wrote:
> On Thu, 2002-05-23 at 13:35, Chris Merrill wrote:
> > I've just read yet another story quoting that a default
> > Red Hat installation placed on the Internet will be
> > compromised within days.
> 
> Actually days is probably optimistic.  I've heard of
> default redhat boxes that were compromised within hours
> or even minutes of being placed on the net (yes, I said
> minutes).  The HoneyNet project has more information about
> stuff like this.


And as a counter to Tanner's paranoia, let me offer some data points.  I
have more than a half-dozen mostly default Red Hat Linux boxes plugged
in to two *campus* (notorious for frequent break-ins) networks even as I
type this email.  They are a mix of RH 7.1, 7.2, and 7.3.  I had *one*
break-in problem back with the RH 6.x series when, by default, all sorts
of services were turned on and there was no (default) firewall.

With the RH 7.x series and its default firewall and better default
configurations (eg. sendmail now only listens to the localhost, etc.),
I've had no (AFAIK) break-ins.

This is not to say that the aforementioned machines haven't, can't, or
won't be hacked into.  Its just that some folks are a lot more paranoid
than others.  Perhaps some of it is justified.  I'm very tired of
hearing exaggerated claims of how quickly Red Hat Linux boxes will
(notice, I didn't say "can") get compromised when connected to high-
speed public networks.  My experience just doesn't reflect it.  Why is
that?

While we're on the topic, another thing to consider is risk.  I'm only
dealing with very boring (to most folks) environmental research data.  I
have no credit card numbers or other valuable/sensitive information on
these machines.  Of course, crackers probably don't know what I do/don't
have and may not care.  But I do and its value gives me some idea how
much effort should be spent in its defense.  I do routine, archival
backups so my boring data won't be readily lost to crackers or hardware
failure.

So back to the original point:

  - you don't really know if you've been hacked unless you are 
    running something like Tripwire or similar or if you manage 
    to find some actual evidence

  - you can use the RPM database as a quick check (if you trust 
    it) to see what files have been modified:

      rpm -qa | xargs rpm -V

    This is very helpful for locating "root kits" that install 
    modified versions of common commands like ls, ps, etc.

  - you can dig through the logs in /var but, as Chris mentioned, 
    logs can be erased/modified by a successful attacker

hth,
Ed


-- 
Edward H. Hill III, PhD    |  Email:       ed at eh3.com, ehill at mines.edu
Post-Doctoral Researcher   |  URLs:        http://www.eh3.com
Division of ESE            |   http://wasser.mines.edu/people/edhill.php
Colorado School of Mines   |  Phone:       303-273-3483
Golden, CO  80401          |  Fax:         303-273-3311
Key fingerprint = 5BDE 4DA1 66BE 4F7B BC17  3A0C 932B 7266 1E76 F123

More information about the TriLUG mailing list