[ale] compromised?

[Christopher Bergeron]

John, here's what I would do:

I would boot from a known good linux CD;  I would get the MD5 sums of the
important files (ps, sh, crond, netstat, lsmod, etc.) on the potentially
compromised system and compare them with the md5 sums from the known good
files (from your CD).  This way, you can detect if what's called a "rootkit"
has been installed.  Once you're sure the files are clean (and not modified)
fire the machine back up and make sure there aren't any cron jobs running
that you don't know about.  Might want to check the /etc/cron.d directories
and make sure everything in them is appropriate.  Also, depending on what
services the box provides (ie, http) you might want to run through those
dir's and make sure there's no nasty cgi's hiding back there.  Finally, from
an outside location run nmap against your network.  This will tell you what
ports are open on it.  If you don't see anything suspicious (ie, nessus)
then odds are good you haven't been compromised.

Just my .02, I'm sure others may have varying opinions...

-CB

-----Original Message-----
From: John Wells [mailto:jbwellsiv at yahoo.com]
To: ale at ale.org
Sent: Saturday, December 15, 2001 12:57 PM
To: ale at ale.org
Subject: [ale] compromised?


I've been cutting my teeth on iptables rules on a
linux router I'm creating for my DSL connection.  I'm
finally to the point where I feel at least a bit
confident that the script is sorta good, but in the
meantime I've been running iptables wide open with
just masquerading enabled.

My question is, now that I'm at the point where I'm
going to lock the box down fairly well, is there a
need to wipe it clean and reinstall linux?  I remember
hearing in Bob Toxen's ale presentation that a default
box can be compromised with minutes after being
brought up live on the net.

What's the probability that my router's been hit, and
with Masquerading wide open, what's the possibility
that someone could have left something behind that
won't play nice in the future?  Will locking down the
box be enough?

Thanks for your input.

John

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.