[ale] Is it hacked?

djinn at djinnspace.com djinn at djinnspace.com
Mon Feb 12 00:40:20 EST 2001 

Unfortunately, if it was cracked with any standard root kit, there wouldn't be
much you could look for if you didn't have any sort of checksums (tripwire or
even homemade) from when the box was created on binaries like ps, ls, and
netstat...preferably the checksums burned to CD somewhere.
>From your home machine, or a machine that's not on the network with this box, run
netcat against all the ports to see what's listening, as well as nmap.  nmap
your.ip.address.here   should tell you what the box is actually listening for.

There's some excellent resources at www.securityfocus.com for how to lock down a
linux box, as well as what to do once you've been cracked and how to find out if
you've been cracked.  I hope it was just the users screwing up. :)

And our very own Bob Toxen has written a pretty thorough book on linux security,
so I'm sure he can correct anything I've gotten wrong. :)

jenn

Ken Nagorski wrote:

> Hi there,
>
>         I have a question about security. OK... Check this out. A guy I
> know runs a web server. Him and this other kid have root. I just help him
> out in a jam and do some of the more sophisticated stuff for him, (not
> that I wanna sound like I am tooting my own horn, just so you know where I
> am coming from) Anyway, it seems that friday the root passwd + account
> went away. Hmm, sounds like it has been hacked right? Well I am not so
> sure. We where able to re-create the account with webmin. I am not sure
> how webmin was able to log in, regardless... Webmin saved the day, or so
> to speak I guess.
>         So I got in and looked around, can't find any signs of a hack,
> doesn't look like ps or ls, or anything has been replaced, doesn't
> look like there is anything funny coming from netstat, no strange
> ports. There isn't anything in top that looks odd. I think that somehow
> either one of the other two guys screwed up.
>         But, maybe I think I am not looking in the right places, I found
> one odd thing in the /root/.bash_history This line right here.
> vi NEED PASSWORD ?.html
> What is that? It's strange but If I hacked you box and had to do somehting
> funky as that. I would delete it from the .bash_history no?
>         OK, the point of all this is, what else could I look for. Maybe
> there are some people that have a little more experience with hackers and
> security?
>
> Thanks
> Ken
>
> --
> I've got all the money I'll ever need if I die by 4 o'clock.
>                 -- Henny Youngman
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list