Russ Kay wrote:
Well, I just got a phone call stating that my server has gone over its
monthly bandwidth limit by 2TB. Taking into affect the amount of
bandwidth I used, there are 2.3TB of unaccounted activity. I did a few
checks to see what is going on (mainly to see if there are root kits
or sniffers). I checked the log and saw a lot of ssh activity (all
denials though). I am currently maxing out my pipe and need to stop
this. So my question is what should one actually do to see how his/her
box is compromised? What should I check, in which order should I check?
Any help is very much appreciated.
-Russ Kay
To try to determine the extent of damage, you can try verifying the rpm
packages:
something like:
rpm -V -a
and look at the output, in particular, for "5" entries - indicating a
checksum error -
difference between what was actually istalled and what is there now -
on system binary
files e.g. ls, cd, login, su...
keeping in mind that there will be legitimate differences in some files
- mostly config type files.
Also, every file on your system is suspect, so you may want to actually
add a new, clean "rpm"
executable (using knoppix or something) and use that for your verify.
You can try running with
the existing rpm package and if you do see changes on major system
executables, you can probably
believe those. If you see nothing suspicious, you may want to go through
the extra work of using
a "clean" rpm.
Also, it is easy to configure your system to save your system logs to
another machine, since one
of the first things hackers may do is change or edit your local system logs.
Gary Whitten
[EMAIL PROTECTED]
