[ale] hacked indicator?

[Bob]

Any decent Trojan'ed id program will behave normally for normal users.

First ensure that your /etc/passwd file is intact and that said user is
in it and that the entry is not corrupt.  If entries before it are corrupt
or your shadow file is corrupt, parsing of these (by the id program) may
stop without finding this entry to map the numeric UID into the user name.


If this doesn't find the problem or if you have other reason to suspect
that you've been cracked, recovery is non-trivial since you cannot trust
anything on your disk or in memory including the kernel if the cracker
is really good.  (I've never heard of a cracker modifying the kernel
for other than adding trap doors to root but it's possible.)

To analyze a suspected system, you first must boot from trusted media.
You can build custom rescue disks containing the md5sum program on the root
floppy.  Then you can boot these and compare the MD5 hash of these programs
with what they should be.  If you confirm proper hashes for the rpm program,
any needed libraries, and its databases (along with the shell and and kernel),
you can use RPM to do the MD5 sums of all the binaries of all of the
packages and compare them to what they should be.

Similarly, you can use GNU tar's -d flag to compare a tar backup tape
to what's on disk for data and inode data (permissions and ownership).
Then use find to find any files on disk that are not on tape.  Some of
these may be added cracker files and programs.
Again, you'll want to do this from the version of tar on your trusted
rescue disks.

All of these techniques are explained in complete detail in my book:

	http://www.realworldlinuxsecurity.com/

Bob
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.