LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-04-2006, 02:11 AM   #1
linux_aru
LQ Newbie
 
Registered: Jul 2005
Location: Interest
Posts: 4

Rep: Reputation: 0
hacking problem


I am using RHEL4 in my server. If my server is hacked then how i can understand it.

Using log file is it possible to find out the hacker(/var/log/messages or different log file)?

If any user log in my pc then any log file is there to kept that information other than /var/log/message.

Please give ideas.
 
Old 11-04-2006, 05:43 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I am using RHEL4 in my server. If my server is hacked then how i can understand it.
First things first. If you have any hunch, gut feeling, perception or doubt your box has been compromised you should regard is as compromised. Do not use it for any activity and do not let it be used by others for any activities but investigate. (Do not put off investigation for false priority reasoning.) One of the easiest ways to start investigating still is the methodical approach layed out in the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. At the same time open up a thread in the Linux - Security forum for support.

There's many things that could indicate cracker activity. Ranging from remote networks sending you alerts and sudden rise in traffic volume or "odd" source/destination pairs to the machine behaving "weird" in an unsubstantiated way and warning messages that seem out of context. If you have adjacent machines or firewall/routers under your control it's also good to check logs there. Crackers can deploy means to hide their presence by cleaning logs and login records and hiding files. From that you should understand that no method should be regarded as failsafe except for investigation on a "dead" box with a (forensics) Live CD.

Prevention is the first priority. It simply means protecting the investments you make in terms of time, effort, money (and maybe client trust), making sure the platform performs like you want it to and operates under your control. Prevention is done continuously by hardening, regular maintenance and regular auditing. If precautions are taken and the box is properly hardened it will be easier to spot intrusion attempts and signs of compromise. For more details please see your distributions release documents about security and general security documents which can be found in for example the LQ FAQ: Security references.


To spot signs of a compromise you run tools like a file integrity checker like Aide, Samhain or even tripwire (for which you saved a copy of the database and config off-site), Chkrootkit and Rootkit Hunter and single purpose tools to detect specific forms of tampering. If there is *any* doubt these tools cannot pick up what is (perceived) there it is best to default to a "dead" box investigation rebooting the box and running a Live CD like HELIX, KNOPPIX (STD) or equivalent.
 
Old 11-04-2006, 03:17 PM   #3
reddazz
LQ Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 77
Moved: This thread is more suitable in Linux Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
problem in hacking sys_call_table appas Programming 1 07-23-2004 12:35 PM
Hacking Exposed Wireless Hacking Chapter prompt Linux - Wireless Networking 0 05-08-2004 02:44 PM
HAcking adam_h General 11 09-25-2003 03:40 PM
hacking moeminhtun General 1 01-09-2003 04:39 AM
Hacking... TimDimman Linux - Newbie 5 02-12-2002 03:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration