[TriLUG] Suspicious behavior: have I been hacked?
Andrew Perrin
clists at perrin.socsci.unc.edu
Sun Feb 23 22:26:17 EST 2003
I use debian, not redhat, so I can't use the .rpm advice. I checked most
of the important binaries (top, ps, ls, bash) with an off-net debian
machine of the same generation and found no differences in date or
size. netstat shows nothing very interesting either.
ap
----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
On Sun, 23 Feb 2003, Chris Hedemark wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Also a lot of rootkits are not smart enough to cover their tracks in
> the rpm database, so you can use rpm to compare what it thinks should
> be there with what is really there.
>
> On Sunday, February 23, 2003, at 10:08 PM, Jon Carnes wrote:
>
> > boot with a rescue disk and check out your system. In particular look
> > at the dates on your library files and on key binaries like top, ls,
> > ps,
> > netstat, etc... If you have another system running the same distro you
> > can check your binaries against those.
> >
> > Using an unhacked netstat is a good way to find out if you've started
> > to
> > send/receive on ports that you shouldn't.
> >
> > This job is much easier if you have a back-up to compare with.
> > Personally I use an unmounted partition with a copy of my etc and my
> > /bin, /sbin, /usr/bin, /usr/sbin, and /lib directories. I can mount
> > the
> > partition read-only and run a automated checkup on my system using
> > scripts and binaries located on the partition.
> >
> > Good Luck - Jon Carnes
> >
> > On Sun, 2003-02-23 at 21:48, Andrew Perrin wrote:
> >> I came upstairs after a weekend mostly away from my computer to find
> >> it in
> >> a nearly-hung state. Load (by top) was >10, and there were numerous
> >> /USR/SBIN/CRON entries which, from the logs, look like they were
> >> trying to
> >> run exim sessions:
> >>
> >> Feb 23 07:38:01 joehill /USR/SBIN/CRON[13821]: (mail) CMD ( if [ -x
> >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
> >> fi)
> >> Feb 23 07:53:01 joehill /USR/SBIN/CRON[13829]: (mail) CMD ( if [ -x
> >> /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ;
> >> fi)
> >>
> >>
> >> (etc., etc.)
> >>
> >> The other thing in the ps listing were several (three I think)
> >> instances
> >> of:
> >>
> >> modprobe -s -k -- net-pf-10
> >>
> >> I do not have such a module, either loaded or available on the disk.
> >>
> >> What's particularly worrisome is that this machine is behind another
> >> machine running NAT, so it has only a private (192.168.0.x) address.
> >> The
> >> NAT machine has nothing particularly suspicious about it. last
> >> commands on
> >> both machine show only me logging in.
> >>
> >> I would be a happier person if someone could provide a non-suspicious
> >> explanation for this.
> >>
> >>
> >> Thanks.
> >>
> >> ----------------------------------------------------------------------
> >> Andrew J Perrin - http://www.unc.edu/~aperrin
> >> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> >> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
> >>
> >>
> >> _______________________________________________
> >> TriLUG mailing list
> >> http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ:
> >> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> >
> > _______________________________________________
> > TriLUG mailing list
> > http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> > http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> >
>
> Chris Hedemark
> PGP/GnuPG Public Key at http://yonderway.com/chris/hedemark.gpg
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
>
> iD8DBQE+WY/0YPuF4Zq9lvYRAlaHAKDbXzFt41zNf/PwXRfxwRVzwfQ7MwCfSv3u
> kQY1+gON2bjUQWsjxDBRWf0=
> =Jvbh
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
More information about the TriLUG
mailing list