On Tue, Aug 18, 2009, Scott Ehrlich wrote: >There is a lot of talk about the vulnerable Linux kernel. I'm simply >wondering the telltale signs if a given system has been hacked? >What, specifically, does a person look for? To really know whether a system has been hacked, it's necessary to use something like Tripwire or Aide, taking a baseline before the system is put on-line, and continually monitoring for changes. By using the 6 P's (Prior Planning Prevents Piss-Poor Performance) it's possible to detect crackages, and even to restore a system without a complete reinstall as good intrusion detection tools which find changed files as well as new files that crackers have added, or files that have gone missing. It's also a good idea to check for executables in places they normally shouldn't be, /tmp, /dev/shm on SuSE systems, /var/tmp, and similar directories where crackers like to hide their work. Often these executes will be in directories with names like ``.. '' (note the trailing space) that look legitimate. There's one crack that adds lines to /etc/inittab to run something called ``ttymon'' that looks reasonable if (a) you don't notice that the file has changed, and (b) don't have a backup to compare it to. You cannot trust tools like ``ps'', ``find'', ``netstat'', and ``lsof'' as these are frequently replaced by ones that are modified to hide the cracker's work. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 The most serious doubt that has been thrown on the authenticity of the biblical miracles is the fact that most of the witnesses in regard to them were fishermen. -- Arthur Binstead