I'm using Ubuntu 14.04 for an email server. Anyway, here are my questions, all related:
1) Is there a fool proof way that cannot be defeated by crafty intruder that will show the open connections to the server, whether it is ssh, or telnet, or html.
2) What are the connection types that would allow crafty intruder to make changes to my server that normally only root user can make. e.g. ssh for sure, but html, others?
3) For ways that crafty intruder might have modified my system, using commands like below or other suggested commands, how can I tell if they (the commands themselves) have been modified?

So far I use:
:~$ sudo netstat -taupen
:~$ w
:~$ sudo lsof -i | grep -i established

First of all: what in this reply was not clear, or what has (seemingly) changed since your subsequent reply?

As for your question: short answer: no. Longer answer: it depends.

You should know that while the threatscape has changed drastically, in the sense that traditional root kits are used less since the start of this millennium, there are enough threats as a lack of knowledge, carelessness, lax (or non-existent!) access restrictions, update schemes, password policies, flaws in service configurations and running outdated software give rise to successful web stack and brute force attacks. Unless a perp has physical access or any other means of subverting a system without leaving a trail (or being able to patch it up), most 'net-based attacks will start with recon and access to lower-privileged resources, leaving a trail. So in essence your question should have been asked prior to any (perceived) security incident. It should have led to properly hardening a server (which provides early warnings and should make it harder for a perp to 0wn a box RSN) and should include creating an audit trail (to log what ops are performed, find anomalous access patterns and be able to respond to early warnings) and the ability to independently verify system integrity.


Basically: any your machine provides, or whatever else means a perp is allowed to inject after gaining a foothold.


Like I already said here: the default Debian(-like) way of using debsums unfortunately requires you to modify apt-related configuration files before the event. So another way is to download a copy of any suspect packages onto a known clean machine, generate a list of hashes (md5sum or md5deep) and compare hashes ('md5sum -c') with the "victim" system. Also, if a perp doesn't clean up afterwards, see entries in service and system log files, user login records, shell history, left uploads and changed ownership, hashes and MAC times of files and odd traffic behaviour can be signs of an intrusion.

Obviously, commands such as lastlog, w, and the likes can only be trusted to a certain extent, as they can be modified if the attacker has full system access. Chances are, if they haven't 'rooted' your system, they may show up in these outputs.

Monitor the outgoing/incoming traffic from a seperate machine using a live medium that you can trust. Tools like wireshark can be useful for monitoring traffic externally. Live medium is better, in the event that if your routed machine were to also be compromised, it could also be hiding traffic and wouldn't be much use!

Any software that is running as the root user. Eg; a webserver running as root, could be taken advantage of by a flawed php script that doesn't sanitize input. Also any software that offers a connection to the outside world, regardless of the user it is running as, if there is a flaw that can be used to escalate privileges on the system... this is why it's best to keep software patched and up to date, as it vastly reduces this risk.


There is software that can create checksums of system binaries (for instance, everything in /bin and /sbin, and compare them at a later date to see if the checksums have changed. I think tools similar to chkrootkit do this.