On Tuesday 01 April 2003 11:00 am, [EMAIL PROTECTED] wrote: > how do i know if i was hacked? except for /var/log/messages i dont know > where else to look at. please help me.
there are many old posts in this list on just this subject. please see the archives. > Fully Searchable Archives With Friendly Web Interface at > http://marc.free.net.ph things that i do: ps auxw and look to see what processes are running. netstat -anp | grep LISTEN and look to see if any ports are open that shouldn't be. netstat -anp | grep ESTABLISHED and look to see if there are any established sessions which are suspicious. kill all the daemons you run and run the netstat -anp | grep LISTEN again. run a portscan (i like nmap) against your server to see what ports are open. compare the list of open ports against your netstat results above. review your firewall rules, and for those service requests which it lets through (e.g., tcp:25==smtp), check for recent exploits against whatever you're running on that port (are you running sendmail? look at the latest sendmail exploit). http://www.cert.org/advisories/CA-2003-12.html all of the above may show no suspicious behavior if the rootkit replaced your binaries. you might want to boot from a rescue disk (tomsrtbt, or a rescue disk you created, or the boot CD if you can do rescue from that) and then run a check (using rpm or whatever package manager you use) on all the binaries to make sure they've not been corrupted. i like tripwire myself, with the signatures on a CD-R that's been closed. if you're short on time and don't want to take chances, you could just backup everything on that box, then rebuild it. you'd need to take care though, that the exploit (whatever it is) doesn't go on your backup and get rebuilt with the box. if your company has a budget for it, i'd recommend hiring someone from this list to check out your box for you. good luck. tiger -- Gerald Timothy Quimpo tiger*quimpo*org gquimpo*sni-inc.com tiger*sni*ph Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" Whenever I feel like exercise, I lie down until the feeling passes. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
