having been hacked many times on linux machines without the aide of
installed intrusion detection software and at the same time hoping
that the cracker was not using special stealth tricks that could
put any effort useless except with a reinstall, here
were the most things i did manually & painfully:
1) log-on and become root. make sure the PATH variable is sanely
configured, else set it manually:
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
and for each directory in that PATH variable, get all the files'
MD5 hash values using a clean uploaded copy of an 'md5sum' binary.
run it as:
md5sum /sbin/* /usr/sbin/* /bin/* /usr/bin/*
compare the md5sum values with the binaries of a clean installation
of the same linux distrib. with this you'll know which binaries
were changed or possibly trojaned.
if there's no clean setup to compare with, it get's more difficult.
the last chance is to rely on the system's time not being touched
by the cracker. anyway, to go on with it, do an 'ls'
for each directory on the PATH variable:
ls -lacR /sbin /usr/sbin /bin /usr/bin
this will yield each files 'ctime' (inode-change) timestamp.
compare each file's timestamp relative to when the OS was installed
or the date the compromise occured. with this you subjectively
choose what binaries seemed trojaned and needed to be reinstalled.
there are other timestamps per file (access & modified time) but they can
lie to you easily.
the ojective upto this point is to take out the trojans
because many binaries u need to use might have been modified
to misguide you.
2) list and find all suspicious network connections and daemons which
might be backdoors:
a) netstat -nap
b) lsof -i -P
this will list the process id, name and connection
state of the every process which has a network socket. but before you
kill the process, you must find the path where it was executed from to
hopefully trace where the cracker placed her other files. use:
ls -l /proc/<process id here>/exe
note that you cannot take the process name from 'ps'
since it too can lie to u easily. take note of the path and the directory
where it is located. go into that directory and check the files in them.
do
ls -lacR /crackersdirectory
if there are suspicious files, remove or move them elsewhere.
then kill the running process:
kill -15 <process id here>
this will send the process the unstoppable TERMINATE signal!
2) next, check all the running processes and process relationships.
'ps' can help but there is such a nice thing called 'pstree'.
pstree -up
this will print out the process hierarchy tree rooted at 'init' complete
with process id, process owner and relationships! again, terminate all
processes that shouldnt be running around. and again, if you did find
some abnormal processes, locate the directory/files to remove them
from where they were run from before terminating them.
3) kill your task schedulers such as 'crond'
and figure out if there are some executables being respawned from
them. look at all the config files within:
a) /etc/crontab
b) /etc/cron.*/
c) /var/spool/cron/
your objective is to make sure that any backdoor/trojan is not
triggered by a scheduler. then after cleansing the
scheduler config files, check again any process that might
have sprung while doing this step.
4) next is to find out if any backdoor or trojan is run at startup.
read and trace through the startup scripts including
a) /etc/inittab - including the scripts being run within it
b) /etc/rc.d/* - including any rc scripts like rc.local
if you have another good copy on another similar machine to compare with,
do so because this is tedious. you may have to try to reboot or enter a
different runlevel several times to figure out if another weird process is
popping up at every restart/reboot/system initialization.
5) next, check the following files for proper permissions:
they should be owned by root and only writable by root.
notably, /etc/shadow should only be readable by root.
a) /etc/passwd
b) /etc/shadow
c) /etc/group
and most specially, check for and delete any new weirdo user with a
user id or group id of 0 and those who shouldnt have a shell. also take
out any weirdo user from the 'root' group.
for each user who has shell access including root, check the user's
startup shell files like
a) /etc/profile
b) /etc/bashrc (if using bash)
for each user's home directory:
c) .profiles
d) .bash*
e) .log*
check them if they are executing anything weird. check that they are not
symlinks/hardlinks to any other file. else any executable in there can run
automatically when that user logs in.
6) next is to find exe files that were given setuid power.
search for them by:
find / -perm +6000 -type f
setuid files run with the privilege of the file owner so
they are dangerous. if you find some weird files with setuid on,
disable them by:
chmod -x <file>
the only files with setuid on modern linux installs are 'su' and 'passwd'.
there maybe some more needed by some servers like sendmail and procmail.
7) there maybe other cracker files on your system but by this point
you've weeded out the ones that can easily get activated. the next step
is to determine how the cracker got in. stop or patch some
probably buggy server software you are running. you can try
finding the cracker's other files and some world-writable files and
directories you have by doing 'ls -lacR /' on your whole disk.
then i guess it's time to look at '/var/log/*' files, create MD5
hashes, backup critical startup scripts, install some tripwires, ids,
put some host-based firewall. etc...
hth,
pong
On Tue, 20 Nov 2001, macky wrote:
> can anyone tell me the most common steps to be taken to know if someone has
> taken over your system?
> definitely first thing to look at is the LOGS.. am i right? :)
>
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
