On Tue, Aug 18, 2009, Scott Ehrlich wrote:
There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for?
To really know whether a system has been hacked, it's necessary to use something like Tripwire or Aide, taking a baseline before the system is put on-line, and continually monitoring for changes.
By using the 6 P's (Prior Planning Prevents Piss-Poor Performance) it's possible to detect crackages, and even to restore a system without a complete reinstall as good intrusion detection tools which find changed files as well as new files that crackers have added, or files that have gone missing.
It's also a good idea to check for executables in places they normally shouldn't be, /tmp, /dev/shm on SuSE systems, /var/tmp, and similar directories where crackers like to hide their work. Often these executes will be in directories with names like ``.. '' (note the trailing space) that look legitimate.
There's one crack that adds lines to /etc/inittab to run something called ``ttymon'' that looks reasonable if (a) you don't notice that the file has changed, and (b) don't have a backup to compare it to.
You cannot trust tools like ``ps'', ``find'', ``netstat'', and ``lsof'' as these are frequently replaced by ones that are modified to hide the cracker's work.
Bill