On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrlich@gmail.com wrote:
There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for?
This is an interesting and frustrating question. Perfect security is impossible, but maybe we can achieve 'good enough'.
On Tue, Aug 18, 2009 at 5:14 PM, Christopher Chanchristopher.chan@bradbury.edu.hk wrote:
rpm -Va is a good start for modified binaries/libraries.
Problems with rpm: 1) Many files on a system did not come from an rpm or had good reasons to change, so dealing with false positives is a problem 2) Some packages are sloppy and no longer verify immediately after installation 3) rpm cannot address memory-only attacks or bios attacks. Still, if rpm tells you some binary has changed since installation, you know you're in trouble. Or you're using prelink.
rootkit detectors is another thing you can try.
Problem with rootkit detectors I have used: many false positives. At least, I hope they were false! Googling around, I found that once you had a positive result, it was sort of complicated process to figure out whether you'd really been hacked or were just having timing problems or had an unusual configuration.
Other than that, it is checking your logs and looking for odd files lying around...
And prayer.
On Tue, Aug 18, 2009 at 5:22 PM, Ryan Pugatchrpug@tripadvisor.com wrote:
Also, processes running that you don't recognize.
Unfortunately, if you're like me there are really a lot of processes running on a virgin linux box (never touched the internet) that I don't recognize. I once tried just making a big file of them and having a cron job send me email when the list changed significantly. This could have caught an unlucky or inept cracker who launched some process named "meEvilCrackhead", but wouldn't have done much to catch someone using an innocuous name, like say 'grep'.
Users you don't recognize.
Again, it is possible to catch someone who doesn't bother to get rid of the smoking gun. Someone who has root on your system can create a new user, or they could use a pre-existing user. You can keep an eye out for strange users, but the real problem is spotting familiar users doing stuff they ought not. Even that can be covered if the cracker replaces your tools or hacks the kernel.
Logged in sessions that you don't recognize.
I'm not sure what Ryan means here, unless he is assuming only one person (you) has authorized access to your machine, and you see sessions logged in as you that you know nothing about. Yeah, that would tip you off. If lots of users can log in, there's not much point.
Free space shrinking abnormally.
Again not really sure what this would mean. Too high a load, too many programs running? Again, someone with root access could hack the tools you use to monitor this, or even the kernel, and make it really hard to see. Assuming you really know how much free space you ought to have at a given moment, which, for me, I am ashamed to admit, would be quite rare.
An increase in bandwidth usage that is unexpected.
Now we're talking! Well, I am still pretty damn ignorant of what a system's bandwidth demand ought to be, but at least you could see the stuff actually happening and make a sort of reasonable investigation of 'what do I have running that would possibly want to talk to IP xxx.yyy.zzz.aaa?' And for once, no matter how good the intruder is, they won't be able to get your own system to lie to you for them (assuming you're using a different system to do the network analysis). But while you analize the traffic, the bad guys has more time to damage your data.
On Tue, Aug 18, 2009 at 5:58 PM, Christopher Chanchristopher.chan@bradbury.edu.hk wrote:
Yeah...one should not assume that those will be hidden by rogue libraries/binaries. Not every case will be taken that far or unspotted before it gets that far.
Every intrusion is vulnerable for a while at least, while the intruder is trying to get in and get root. After that they will probably try to cover their tracks.
On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbellcentos@celestial.com wrote:
To really know whether a system has been hacked, it's necessary to use something like Tripwire or Aide,
And very carefully. Only that won't help you with memory-only attacks, or bios stuff, etc. These tools concentrate on verifying that your disk files have not been altered. I don't think they would help with an attack that uses free space (guessing here). Also, they are a pain, unless your system stays absolutely static, which in effect means, if you never use it. Have them ignore your data space, and the hacker can exploit that. And even then, linux is constantly updating various files in the background, and of course you need to update software to keep up with the security patches. You need to track every change of every file. I doubt many people have the patience.
[snip]
It's also a good idea to check for executables in places they normally shouldn't be, /tmp, /dev/shm on SuSE systems, /var/tmp, and similar directories where crackers like to hide their work. Often these executes will be in directories with names like ``.. '' (note the trailing space) that look legitimate.
I like this, because it might actually be automated. Of course, you're trusting stat or whatever.
[snip]
You cannot trust tools like ``ps'', ``find'', ``netstat'', and ``lsof'' as these are frequently replaced by ones that are modified to hide the cracker's work.
Naturally we are running aide and tripwire from a CD or other read-only medium, why not toss in a copy of these tools as well? Of course, if the kernel has been hacked, even that won't save us, but we have to take what we can get.
On Wed, Aug 19, 2009 at 1:03 AM, Eduardo Grosclaudeeduardo.grosclaude@gmail.com wrote:
As a corollary, the only safe way to audit a suspected system is booting your diagnostic tool from known good media (eg try a security Live CD distro)
Safe in what sense? When you rebooted, you may have erased from memory the only remaining trace of the intrusion and you are still vulnerable. But at least you *can* trust what the tools are telling you - I hope.
On Thu, Aug 20, 2009 at 12:59 PM, Magnus Holmströmmagnus.holmstrom@gmail.com wrote:
Oops, someone is going to scold you for top-posting.
Check for failed logins in /var/log/messages
Kind of useless, don't you think? Failed logins I can live with. It's successful ones that hurt.
Check if the /etc/passwd file have been changed
Certainly, no decent detection system should overlook changes to /etc/passwd. But that's just one of many important files.
Use commands like last, w and uptime.
These tools are kind of weak. If you have a single-user system or the intruder is doing something really obvious (what? rm -rf /? wall 'I am an intruder!'?) they would help. With multiple users they won't tell you enough, and if the intruder is good they will lie to you.
Thanks to all for stimulating thoughts. I've been thinking about this for a while. I need to think some more. xoxo, Dave