|
|||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| Dedicated Servers Dedicated hosting, running your own webserver, and managed server discussions. |
 |
|
|
Thread Tools |
08-03-2006, 10:44 AM
|
|||
|
|||
Checking if Linux is hacked
A tutorial I use to reference. Copied from somewhere but I don't remember where maybe Ev1 when they were Rackshack.
The PS command A root kit is a software package that a cracker uses to provide himself/herself with root-level access to your machine. Once the cracker has root access on your machine, it is all over. Backup your data, have RS restore a new version of your operating system. Sometimes its not easy to discover that somebody has cracked your system. Can you trust your ps command? The first trick in finding a root kit is to run the command ps. Chances are that everything will look normal to you. Here is an example of a portion of my ps output: Your PS output will probably be fairly large depending on whats running on it! [root@srv05 /bin]# ps ax PID TTY STAT TIME COMMAND 1 ? S 0:04 init [3] 2 ? SW 0:00 [keventd] 3 ? SW 0:01 [kswapd] 4 ? SW 0:00 [kreclaimd] 5 ? SW 0:00 [bdflush] 6 ? SW 0:05 [kupdated] 7 ? SW< 0:00 [mdrecoveryd] 82 ? SW 0:00 [khubd] 596 ? S 0:00 /usr/sbin/automount --timeout 60 /misc file /etc/auto.misc 612 ? S 0:22 syslogd -r -m 0 -a /home/virtual/FILESYSTEMTEMPLATE/log- The real question is, however, "Is everything actually normal?" A common trick that a cracker will use is to replace the ps command. The replaced version will mask programs running on your machine. To test this, check the size of your ps application. It is usually located in /bin/. On our Linux machines it is about 64 kilobytes. If your ps program is some ridiculous size like 12 kilotbytes or much larger than 60 -64 kilobytes, you have a reason to be worried. For those of you who dont know how to check the size of your ps program just cd /bin and type ls -l. Look for ps and check the size of this file. Another trick is the linking of root's command history file to /dev/null. The command history file is used to track and log commands that are issued by a user when they log into a Linux machine. Crackers will redirect your history file to /dev/null so that you can not see what commands they were typing. You can access your history file by typing history at your shell prompt. If you find yourself using the history command, and it does not display any previously used commands, take a look at your ~/.bash_history file. If the file is empty, perform a ls -l ~/.bash_history. When you perform the previous command you should see something similar to the following: -rw------- 1 root root 10466 May 21 16:22 /root/.bash_history If you see something like this: lrwxrwxrwx 1 root root 9 May 21 19:40 /home/jd/.bash_history -> /dev/null ..then it means that the .bash_history file has been redirected to /dev/null. This is a dead giveaway. Take your machine off the Internet now, back up your data (if you can), and have RS do a full restore for you. Look for unknown user accounts Very important, check for unknown user accounts. Issue the following command: grep :x:0: /etc/passwd The only line, I repeat, the only line that the grep command should return on a standard Linux installation is something similar to the following: root:x:0:0:root:/root:/bin/bash If your system returns more than one line with the previous grep command, you may have a problem. There should only be one user with the UID of 0 and if that grep command returns more than one line, you have more than one user with root access. 
|
All times are GMT +1. The time now is 08:00 PM.