On Tue, Apr 01, 2003 at 03:00:16AM -0000, [EMAIL PROTECTED] wrote: > how do i know if i was hacked? except for /var/log/messages i dont know > where else to look at. please help me.
Please subscribe to the ph-linux-newbie list and post any questions you might have like this one there. The PLUG list is reserved for more advanced questions and discussion for people who already know what to do. Anyhow, to answer your question, that's not exactly a simple thing. If a cracker has broken into your system, NOTHING there can be trusted. Most likely, important system binaries have been replaced that could give evidence of any intrusion. Your /var/log/messages may well have had any incriminating evidence removed, that is if the cracker is smart. Most aren't, fortunately for us, and telltale traces may well remain that could show you something fishy's going on. A portscan provided by a tool like nmap (http://www.insecure.org/nmap) will expose any backdoors a cracker might have installed, as it will show all open ports on the machine. Booting the system with a rescue disc, and using tools like find(1) to scan for setuid root binaries (the find(1) on the system might very well have been replaced) might uncover further traces. Other telltale signs include connecting to a system with ssh that refuses to accept version 2 protocol connections (apparently all trojan sshd's in existence these days use only protocol version 1). You aren't still using Telnet or FTP, right? An auditing tool like Nessus (http://www.nessus.org/) will not only uncover other well-known network-accessible backdoors but also help you to ensure that your system isn't running any vulnerable/exploitable services. -- Rafael R. Sevilla <dido at imperium dot ph> +63(2)8123151 Software Developer, Imperium Technology Inc. +63(917)4458925 "Patriotism...is nothing else but a means for obtaining for the rulers their ambitions and covetous desires, and for the ruled the abdication of human dignity, reason, and conscience, and a slavish enthralment to those in power." _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
