[TriLUG] invisible directories...
Jon Carnes
jonc at nc.rr.com
Tue Apr 22 14:24:12 EDT 2003
On Tue, 2003-04-22 at 11:20, Turnpike Man wrote:
> So besides all the scripts needed to compare binaries every 10 minutes
> (something I'm still clueless of how to do)...
>
Tripwire will do this for you, but before that came along I ran
something like the following script - every 10 minutes on my external
boxes.
====== file_chks ======
#! /bin/bash
# check run on the base files (periodically)
#
if [ ! -s /etc/chk ];
then
echo First time run... Creating /etc/chk and storing base files
mkdir /etc/chk
chmod o-wrx /etc/chk
cp /bin/df /etc/chk/1.chk
cp /bin/find /etc/chk/2.chk
cp /bin/ls /etc/chk/3.chk
cp /bin/netstat /etc/chk/4.chk
cp /bin/ping /etc/chk/5.chk
cp /bin/ps /etc/chk/6.chk
cp /usr/bin/du /etc/chk/7.chk
cp /usr/sbin/lsof /etc/chk/8.chk
# cp /etc/passwd /etc/chk/p.chk
# cp /etc/group /etc/chk/g.chk
fi
# compare the current files with the stored base files
diff /bin/df /etc/chk/1.chk
diff /bin/find /etc/chk/2.chk
diff /bin/ls /etc/chk/3.chk
diff /bin/netstat /etc/chk/4.chk
diff /bin/ping /etc/chk/5.chk
diff /bin/ps /etc/chk/6.chk
diff /usr/bin/du /etc/chk/7.chk
diff /usr/sbin/lsof /etc/chk/8.chk
# diff /etc/password /etc/chk/p.chk
# diff /etc/group /etc/chk/g.chk
======
I used to monitor /etc/password and /etc/group (and /etc/shadow) on my
external boxes as well. I always knew when one of my admins changed a
password or added a user.
BTW: I typed this one in from memory as I now use tripwire.
Take care - Jon Carnes
> --- Jon Carnes wrote:
> > I'm guessing that they got in via Samba. There was a recent exploit
> > that was advertised and if they didn't update their samba then it would
> > be easy for a script kiddie to auto-scan and implant a root kit.
> >
> > One easy way of testing your machines is to do regular scans of your
> > exposed network with nmap. Simply store the tests in a file and then do
> > a diff against each new scan. Mail the diffs to your admin group.
> >
> > Standard root kits will open some bizarre ports on your box and those
> > will show up immediately. Subtler root kits have your box check into an
> > IRC channel on a regular basis and look for commands dropped off by
> > their "master". The moral: block any and *all* ports that your server
> > does not use, both incoming and outgoing. The root kit will then be
> > forced to drop your firewall in order to work, and then your server will
> > show up like a lit Christmas tree at midnight on your network scan.
> >
> > Couple that with running a compare against known good binaries every ten
> > minutes and you'll be fairly safe (or at least you'll know when you've
> > been hacked).
> >
> > Good Luck - Jon Carnes
>
>
> __________________________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
> http://www.trilug.org/faq/TriLUG-faq.html
More information about the TriLUG
mailing list