On Sunday 14 Mar 2010, Pats wrote: > 1) How can we detect that someone has intruded / hacked our linux box > ? 2) Which commands to use for such detection ?
Apart from the standard places to look (/tmp, /var/tmp, all HTTP domain directories) you can use a tool called rkhunter (RootKit Hunter) to detect common Linux viruses and trojans. If you were infected by a virus/trojan then standard approaches will pay off. On the other hand, if someone has deliberately and manually cracked your computer you may find it much more difficult to locate them. Even forensics will be difficult since the first thing any intelligent cracker will do is delete all logs. > 3) How to decipher the output of `netstat -a ` ? Phew, that's the whole netstat(8) man page! Anyhow, one part lists out connected sockets, another part lists listening sockets, a third lists out Unix domain (local) sockets. To take an example, the connected socket list consists of: - The protocol (tcp/udp/tcp6/etc.) - Number of characters waiting to be read by the local application - Number of characters waiting to be read by the remote application - The IP address and port of the local side of the connection - The IP address and port of the remote side of the connection - The state of the connection Hope that helps. Regards, -- Raju -- Raj Mathur r...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ linux-india-help mailing list linux-india-help@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-india-help
