LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-20-2004, 02:19 PM   #1
consty
Member
 
Registered: Feb 2004
Location: Douala-Cameroun
Distribution: RedHAt 9 ES
Posts: 85

Rep: Reputation: 15
Hackers


Hi,
I would like to know the files a hacker can modify in my dns server under RedHat9. How can I trace ? Thanks for help.
 
Old 08-20-2004, 03:18 PM   #2
SocialEngineer
Member
 
Registered: May 2003
Distribution: Slackware
Posts: 236

Rep: Reputation: 30
If a hacker can gain root access, they can modify any file. Otherwise they are limited to the files available to whatever user they have shell access to.
 
Old 08-20-2004, 04:02 PM   #3
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi

to see the tracks of any hacker u need to keep a tab on the utmp wtmp

files

regards
gaurav
 
Old 08-20-2004, 04:16 PM   #4
RHLinuxGUY
Member
 
Registered: Oct 2003
Distribution: Ubuntu 7.04
Posts: 889
Blog Entries: 1

Rep: Reputation: 30
Arent hackers realy called "crackers"? And a hacker is a person who messes with a programs sourcecode?
 
Old 08-20-2004, 04:20 PM   #5
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi
it is the crackers that do some wrong work
hackers are those who posses good computer knowledge
nowadays we call anyonre comprimising a system a HACKER while they should be called crackers

regards
 
Old 08-20-2004, 04:32 PM   #6
SocialEngineer
Member
 
Registered: May 2003
Distribution: Slackware
Posts: 236

Rep: Reputation: 30
Yeah. I got tired of correcting everybody on the difference between a hacker and cracker, so I just let them live in ignorance (since they forget it 5 seconds later anyway).
 
Old 08-20-2004, 04:43 PM   #7
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by masand
to see the tracks of any hacker u need to keep a tab on the utmp wtmp files
This is not accurate. utmp and wtmp are written to by programs like, login, and other processes that use a login facility. Not all exploits are going to create an entry in these files. In addition, a user account with the appropriate access can "clean" these files. If you are simply waiting around for "hacker" (or some other equally recognizable username) to show up in your last output then you're probably going to miss them.

Last edited by stickman; 08-20-2004 at 04:52 PM.
 
Old 08-20-2004, 04:46 PM   #8
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Quote:
Originally posted by SocialEngineer
Yeah. I got tired of correcting everybody on the difference between a hacker and cracker, so I just let them live in ignorance (since they forget it 5 seconds later anyway).
Nice to hear that, please refer to RFC1392 while doing so.
 
Old 08-20-2004, 04:48 PM   #9
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi
other than these i think
u cannot see out for any tracks in the system
yes,, they can be cleaned and which erase the tracks of the hacker who had login in the machine,so if this happens they cannot be tracked

i do not think we have any other file to check out for login records

regards
gaurav
 
Old 08-20-2004, 04:57 PM   #10
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
I think you're missing the point. A person who is breaking into a system is not always going to use a method that creates wtmp entries for you to see in last output. You need to rely on other methods besides watching two files. Other methods for detecting an intrusion include log entries, unusual files (ie rootkits), suddenly appearing processes or binaries, modified config files or binaries, etc. If your only method for detecting an intrusion is watching wtmp, then your chances of discovering an attact are severely impaired.

Last edited by stickman; 08-20-2004 at 04:59 PM.
 
Old 08-20-2004, 05:35 PM   #11
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi there

looking out utmp/wtmp
happens to be the most classical way for looking out for hackers,it is true that we cannot entirely rely upon these,but the truth is we cannot be always sure after all the nethods we apply are sufficient to tracks hackers

also maybe we may catch out some one using these files also!

i think more on these can be tripwire,chkrootkit.org

i was just mentioned one way to check for the hackers
there are better ways also i agree on that....

regards

Last edited by masand; 08-20-2004 at 05:39 PM.
 
Old 08-20-2004, 06:07 PM   #12
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
If you're hit by a guy or girl that really knows what he/she's doing, nothing but an integrity db
kept on non-removable media can help you.
Logfiles could be modified/erased, kernel backdoored, etc...
In other words, you can't trust your system anymore.
 
Old 08-23-2004, 03:36 AM   #13
consty
Member
 
Registered: Feb 2004
Location: Douala-Cameroun
Distribution: RedHAt 9 ES
Posts: 85

Original Poster
Rep: Reputation: 15
Thanks everybody for the concern.
In addition I have been told that "monit" and "tripwire" are monitor tools that could help.
 
Old 08-23-2004, 04:16 AM   #14
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Checking for file alteration is really something you should have done before your systems security has been compromised. Once someone has cracked your system and modifed/installed various files, it's entirely possible for them to access your machine at will without modifying any further files. You should always install something like tripwire, samhain,afick, etc immediately after installing and configuring your sysem, not after you believe someone has broken in.

You haven't really mentioned why you think the system has been compromised in the first place. Could you give us some specifics? Without much to go on, on a Redhat system (actually on any RPM system, you can verify the integrity of the packages by doing rpm -Va. Test for the presence of a rootkit by downloading and running chkrootkit and/or rootkit hunter. Check for abnormal SUID root files. Check /etc/passwd for new users or users other than root with a UID of 0. If that still doesn't turn up anything and you're are fairly convinced that it's been cracked, download a "Live" CD-rom based distro like Knoppix-STD or FIRE. Boot the system with the Live CD and mount the compromised file-system read-only. You can then look around the file system without worrying that anything has been hidden by a rootkit.

As a note about utmp/wtmp, this is a fairly in-effective way to identify intrusion, esp if used as your only means. Having a shell bound to a listening port or even a backdoored daemon can entirely bypass logging (as has been pointed out multiple times already). In fact, I've seen more intruders identified by the fact that wtmp had been modified or deleted entirely than by finding anomalous login entries there. That being said, I certainly would check it, however I wouldn't have much confidence in a clean utmp/wtmp.
 
Old 08-25-2004, 03:02 PM   #15
consty
Member
 
Registered: Feb 2004
Location: Douala-Cameroun
Distribution: RedHAt 9 ES
Posts: 85

Original Poster
Rep: Reputation: 15
Thanks again,
In fact the system hanged at "INIT:Version 2.84 booting", booting from cd in rescue mode showed 2 new users named "hack" and "http" connected one day before the hangup with foreign IP address (who -u wtmp). In addition, the home directory of user hack contains a directory called "selena" which houses files like : assl, oops, pscan2, ssl, sslex, sslx, ssx, su, runer, etc ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
calling all hackers evilmonk Linux - Software 4 03-12-2005 10:13 PM
Who are hackers? cyto General 10 12-24-2004 11:17 AM
C++ hackers anyone? Kane635 Programming 2 10-04-2004 07:37 PM
According to this we are all hackers bubba169 General 10 05-03-2004 10:59 PM
any X hackers? deepsix Programming 0 09-13-2003 11:22 PM


All times are GMT -5. The time now is 11:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration