[TriLUG] Have I been compromised?

Jon Carnes jonc at nc.rr.com
Thu May 23 15:43:18 EDT 2002


All excellent suggestions... Also check the history file for root - see if 
you can find any illicit activities documented there.  

Use netstat to check what ports are open on your machine, or use nmap from 
an external box and scan your machine.  If you find open ports where none 
should be...

===
Here is a suggestion I've made before on the list: create a small partition 
(~200Mb) and backup various parts of your system to that partition
  /etc
  /bin
  /sbin
  /usr/bin
  /usr/sbin
  /usr/local/bin
  /usr/local/sbin
  /lib

Now mount the partition as read only or simply unmount it (and mount it 
only for running checks - or when you upgrade something).

Later when you want to check your system against compromise, simply compare 
your current files to the files on the small partition.  

I run a check every 10 minutes on each of my external boxes.  I only run 
the check against a subset of the files - mainly the files that I would use 
to see if I've been compromised (like ps, ls, find, netstat, etc...).  

Everytime I upgrade, I get a warning so I know it works!

One additional benefit is that if you are hacked, you will have backups of 
all your config files and your executables.  It makes it much easier to 
"unhack" yourself.  Also, I've used it once to back out of an update that 
hosed my system (it was my fault... didn't read the README first).

Jon
===
On Thursday 23 May 2002 03:09 pm, lfwelty wrote:
> Check your logs, check your backdated logs.
> and
> rpm --verify --all
>
> would be a good start.
>
> man rpm for details.
>
> F.
>
> Chris Merrill wrote:
> > I've just read yet another story quoting that a default
> > Red Hat installation placed on the Internet will be
> > compromised within days.
> >
> > I have a RedHat 7.1 installation on TWC that has been
> > up for more than a year.  It is not a default installation,
> > since I usually don't install anything that I don't need.
> > But I also did not take any extraordinary security
> > measures (other than IPchains for firewall...since the
> > computer also acts as the gateway for other computers).
> >
> > I am running a few services:
> > - Postfix
> > - Apache
> > - Mailman
> > - Samba (only for brief times when I want to move files
> >    to/from a Windows box)
> >
> > I tried to turn off most other unneeded services.
> > I occasionally (every 3-4 weeks) log in and check
> > the logs to see if anyone else has logged in...but
> > if they could get in, I would assume they would
> > clean the logs.
> >
> > My question:
> > How would I know if my system had been compromised?
> >
> > *********************************
> > Chris Merrill
> > cmerrill at nc.rr.com
> > *********************************
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html



More information about the TriLUG mailing list