LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hacked? (https://www.linuxquestions.org/questions/linux-security-4/hacked-16840/)

DiBosco 03-22-2002 04:32 PM
Hacked?
 
It would appear that my wife's small company's network has been hacked. I've just spent a very frustrating couple of hours trying to find out why the Internet access isn't working.

In her Slackware (Machine acting as the file and e-mail sever) home direction, many of the files were owned by "1007" - an ID that doesn't exists in /etc/passwd

I have a Smotthwall machine acting as a firewall, but I'm guessing someone has managed to get past it.

Can anyone tell me whether there's a way of definitely telling whether the network has been entered and tampered with?

Cheers,

Rob

trickykid 03-23-2002 01:54 AM
log files..

-trickykid

DiBosco 03-24-2002 05:15 AM
Thanks, Trickykid. As there's a plethora of log files, which ones are the ones that will help me in this case?

unSpawn 03-24-2002 11:01 AM
First of all I hope it's clear to you you should disconnect the network from the 'net pending your investigations, because if any box has a trojaned network service, chances are they'll be coming in tru the backdoor untill you (can) act on it, or you could be inadvertedly running a hidden kernel module dumped there by some rootkit, or be logging in tru a trojaned login binary. A "decent" rootkit installs trojaned binaries of at least ps, ls, du, find, inetd, login, netstat, passwd, pidof, syslogd. All in all good reasons to stay disconnected untill you *know* you're safe.

There's lotsa stuff to do searches for if you want to inspect a system manually, starting with a clue what services where running can help narrow down time. Review you networked services version and configurations for instance wu-ftpd and/or allowing anonymous rw access, running telnetd, running sshd protocol version 1, running old bind, not using TCP-wrappers, no firewall, etc, etc.
Now head on over to the logfiles.

Unfortunately logfile entries like from {u|w}tmp can be zapped, and other logs can be truncated, so this isn't a definitive way to rely on for clues of compromise. logfiles you would like to check are all belonging to networked services (ftp, bind, ssh, rpc etc etc) and firewalls, security and logins, crontabs.
Next we'll try to handle binaries.

Since you're using an rpm-based distro, verifying against a recent (floppy; read-only) copy of the rpm database could give you some clues on the state of installed sw (only the rpm stuff ofcourse), and if you deployed a file integrity scanner like Aide, Samhain, Viper or Tripwire a scan (again, against off-disk, read-only databases) modified stuff w|could show.

If you didn't do/have the above, download chkrootkit to test your disk for trojaned binaries. Make sure you load it with the safe path option where your trusted binaries are, or mount the disk for examination on a trusted system.

If there's too much doubt or positives coming up, save your *humanly readable* data, and reinstall from scratch. Have a look here for some idea's on securing them boxes some more.

HTH somehow.


All times are GMT -5. The time now is 06:00 PM.