On Sunday 14 Mar 2010, newlx...@yahoo.co.uk wrote: > >On Sun, 14 Mar 2010 10:18:04 +0530 > > > >Raj Mathur <r...@linux-delhi.org> wrote: > > > 1) How can we detect that someone has intruded / hacked our linux > > > box ? 2) Which commands to use for such detection ? > > > > Apart from the standard places to look (/tmp, /var/tmp, all HTTP > > domain directories) > > What signs / o/puts to look for in these directories - for > example.. to indicate any possible intrusion ?
Anything that looks odd, actually. It's difficult to generalise, but usually file names starting with . or space, file/directory names containing spaces, executable files are things I would look for. > > > 3) How to decipher the output of `netstat -a ` ? > > > > Phew, that's the whole netstat(8) man page! Anyhow, one part lists > > out connected sockets, another part lists listening sockets, a > > third lists out Unix domain (local) sockets. To take an example, > > the connected socket list consists of: > > Sorry to be not clear... > for example in these netstat o/p columns : > Proto RefCnt Flags Type State I-Node Path > .... > which flags or type or state etc indicate un-authorised connections > to our linux box ? Is it possible to know from the indicated flags > etc abt these facts ? TIA ! No, the flags alone will not tell you about unauthorised connections. For that you need to see which ports on your server are open and mark any non-standard ones (they'll be used for command and control of your infected server by remote entities), and which ports/servers your machine is making a connection to. For instance, if you see a lot of connections from your computer to a remote TCP port 25, and your machines isn't a mail server, it could indicate that you've been taken over by a spambot which is relaying spam through your machine. I'm sure Suresh would have more information on this side of things. As other people have pointed out, this isn't something that can be learnt in a hurry, so experience (or experienced people) is your best friend where it comes to detecting cracked machines. Regards, -- Raju -- Raj Mathur r...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ linux-india-help mailing list linux-india-help@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-india-help
