[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] determining hackattack
- Subject: [cobalt-users] determining hackattack
- From: Jim Dory <engineer@xxxxxxxxxxxxx>
- Date: Mon Jul 1 17:39:05 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
My setup: a Raq4r on the 'trusted' interface of a Watchguard firewall,
serving as a file share for a small network; and a Raq4r on the DMZ
interface of the firewall serving as an email and webserver for the network.
A while back I thought I was hacked because of some strange things that
may have turned out to be either my fault or some kind of error. (I
filled up the root partition- my mistake, and somehow truncated the
httpd.conf file- not sure if I did that.) Now that I'm smarter, I want
to 'harden' my system with things like portsentry, etc.. However, I
would like to convince myself that I'm not hacked without going through
the considerable work of reinstalling everything. That seems to be the
advice for those hacked.. reinstall to a clean system. But I'm thinking
I'm not hacked, just want to be sure.
So, I would be curious if there's any advice for determining hacks. I've
run chkrootkit and the very first time it reported suspicisious lkm
worm, but the subsequent times I've run it (soon after the first) it
reports all negative. I've run it on the public web server that didn't
have the error I mentioned above and it reported all negative the first
time. I see one method is by using the MD5 algorithm to compare
checksums of binaries. To do that, you need to have known good binaries,
not the ones of the suspect server. So one question is:
how do I determine the good checksum- would it be on my restore cd and
somehow extractable, and would I need to reinstall that binary on the
server to be sure it was a good one to check against the MD5? ( I
obviously know little about this but am researching..time is limited).
What are some good files to check? Things like ps, ls, netstat? In other
words, what files are mostly likely changed to hide an attack.
Here's one webpage on MD5 stuff and other:
http://quickenexcite.cnet.com/webbuilding/0-7532-8-4720241-2.html?tag=st.bl.7532-8-4720241-1.txt.7532-8-4720241-2
Any other good advice or programs short of reinstalling?
--
Jim D.