LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-22-2002, 04:32 PM   #1
DiBosco
Member
 
Registered: Nov 2001
Location: Manchester, UK
Distribution: Mandriva, Mandriva, Mandriva. (Three different releases depending on the computer)
Posts: 703

Rep: Reputation: 35
Hacked?


It would appear that my wife's small company's network has been hacked. I've just spent a very frustrating couple of hours trying to find out why the Internet access isn't working.

In her Slackware (Machine acting as the file and e-mail sever) home direction, many of the files were owned by "1007" - an ID that doesn't exists in /etc/passwd

I have a Smotthwall machine acting as a firewall, but I'm guessing someone has managed to get past it.

Can anyone tell me whether there's a way of definitely telling whether the network has been entered and tampered with?

Cheers,

Rob
 
Old 03-23-2002, 01:54 AM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 194Reputation: 194
log files..

-trickykid
 
Old 03-24-2002, 05:15 AM   #3
DiBosco
Member
 
Registered: Nov 2001
Location: Manchester, UK
Distribution: Mandriva, Mandriva, Mandriva. (Three different releases depending on the computer)
Posts: 703

Original Poster
Rep: Reputation: 35
Thanks, Trickykid. As there's a plethora of log files, which ones are the ones that will help me in this case?
 
Old 03-24-2002, 11:01 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
First of all I hope it's clear to you you should disconnect the network from the 'net pending your investigations, because if any box has a trojaned network service, chances are they'll be coming in tru the backdoor untill you (can) act on it, or you could be inadvertedly running a hidden kernel module dumped there by some rootkit, or be logging in tru a trojaned login binary. A "decent" rootkit installs trojaned binaries of at least ps, ls, du, find, inetd, login, netstat, passwd, pidof, syslogd. All in all good reasons to stay disconnected untill you *know* you're safe.

There's lotsa stuff to do searches for if you want to inspect a system manually, starting with a clue what services where running can help narrow down time. Review you networked services version and configurations for instance wu-ftpd and/or allowing anonymous rw access, running telnetd, running sshd protocol version 1, running old bind, not using TCP-wrappers, no firewall, etc, etc.
Now head on over to the logfiles.

Unfortunately logfile entries like from {u|w}tmp can be zapped, and other logs can be truncated, so this isn't a definitive way to rely on for clues of compromise. logfiles you would like to check are all belonging to networked services (ftp, bind, ssh, rpc etc etc) and firewalls, security and logins, crontabs.
Next we'll try to handle binaries.

Since you're using an rpm-based distro, verifying against a recent (floppy; read-only) copy of the rpm database could give you some clues on the state of installed sw (only the rpm stuff ofcourse), and if you deployed a file integrity scanner like Aide, Samhain, Viper or Tripwire a scan (again, against off-disk, read-only databases) modified stuff w|could show.

If you didn't do/have the above, download chkrootkit to test your disk for trojaned binaries. Make sure you load it with the safe path option where your trusted binaries are, or mount the disk for examination on a trusted system.

If there's too much doubt or positives coming up, save your *humanly readable* data, and reinstall from scratch. Have a look here for some idea's on securing them boxes some more.

HTH somehow.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 07:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 01:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 03:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 08:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 06:00 PM


All times are GMT -5. The time now is 05:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration