[TriLUG] Suspicious behavior: have I been hacked?
Chris Hedemark
chrish at trilug.org
Sun Feb 23 22:22:23 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also a lot of rootkits are not smart enough to cover their tracks in
the rpm database, so you can use rpm to compare what it thinks should
be there with what is really there.
On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote:
> boot with a rescue disk and check out your system. In particular look
> at the dates on your library files and on key binaries like top, ls,
> ps,
> netstat, etc... If you have another system running the same distro you
> can check your binaries against those.
>
> Using an unhacked netstat is a good way to find out if you've started
> to
> send/receive on ports that you shouldn't.
>
> This job is much easier if you have a back-up to compare with.
> Personally I use an unmounted partition with a copy of my etc and my
> /bin, /sbin, /usr/bin, /usr/sbin, and /lib directories. I can mount
> the
> partition read-only and run a automated checkup on my system using
> scripts and binaries located on the partition.
>
> Good Luck - Jon Carnes
>
> On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote:
>> I came upstairs after a weekend mostly away from my computer to find
>> it in
>> a nearly-hung state. Load (by top) was >10, and there were numerous
>> /USR/SBIN/CRON entries which, from the logs, look like they were
>> trying to
>> run exim sessions:
>>
>> Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x
>> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
>> fi)
>> Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x
>> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
>> fi)
>>
>>
>> (etc., etc.)
>>
>> The other thing in the ps listing were several (three I think)
>> instances
>> of:
>>
>> modprobe -s -k -- net-pf-10
>>
>> I do not have such a module, either loaded or available on the disk.
>>
>> What's particularly worrisome is that this machine is behind another
>> machine running NAT, so it has only a private (192.168.0.x) address.
>> The
>> NAT machine has nothing particularly suspicious about it. last
>> commands on
>> both machine show only me logging in.
>>
>> I would be a happier person if someone could provide a non-suspicious
>> explanation for this.
>>
>>
>> Thanks.
>>
>> ----------------------------------------------------------------------
>> Andrew J Perrin - http://www.unc.edu/~aperrin
>> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
>> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
>>
>>
>> _______________________________________________
>> TriLUG mailing list
>> http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ:
>> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
>
Chris Hedemark
PGP/GnuPG Public Key at http://yonderway.com/chris/hedemark.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+WY/0YPuF4Zq9lvYRAlaHAKDbXzFt41zNf/PwXRfxwRVzwfQ7MwCfSv3u
kQY1+gON2bjUQWsjxDBRWf0=
=Jvbh
-----END PGP SIGNATURE-----
More information about the TriLUG
mailing list