[ale] Linux Firewall
Jacob Langseth
jlangseth at vodavi-ct.com
Thu Apr 8 16:01:53 EDT 1999
> they may have installed some sort of sniffer, is there anyway to search for
> it.
> I have noticed that root logs in and out at 1:01am every morning, but that
> seemed to be happening prior to the break-in. Is that normal behavior?
No, but since you're reinstalling, I wouldn't spend too much
time tracking it down.
To detect the sniffer, which is certainly there, you'd need to
create a disk on another system which contains a Known
Good Copy of ifconfig. Execute it on the afflicted system -
if PROMISC shows up, the card is in 'sniffer' mode.
(This may be more trouble than its worth, though, as you're
just going to turn around and hose the system...)
After shutting down the old server, enforce a password
change for all users of every service provided on your
network - NT, unix, novell or otherwise. Assuming that
they haven't been compromised will only lead to more
headaches down the road.
Check all other servers with a fine toothed comb, as depending
upon the skill / motivation involved, they may have been
compromised as well. A good way to look for this sort
of thing would be to run tcpdump on your new server and
investigate any activity which can't be explained.
Tcpdump produces a lot of output. To avoid being inundated
with packet dumps, I suggest using a perl wrapper around it
to limit the number of connections seen. I believe I've posted
code which accomplishes this to the list before, so rather than
waste bandwidth again, I'll put it up for ftp.
The script is monitor.pl. The filter used is ~/.filter, and uses the
tcpdump filtering syntax:
ftp://orthanc.se2600.org/pub/monitor/
Network Flight Recorder may be a Good Thing to look into after
the new server is in place:
http://www.nfr.com/
It's useful for spotting suspicious activity, comes with source,
and is free for non commercial use. The l0pht has some useful
modules available for it as well: http://l0pht.com/
Good luck,
--
Jacob Langseth
Vodavi-CT, Inc. <jlangseth at vodavi-ct.com>
More information about the Ale
mailing list