[NBLUG/talk] Security guides..

troy fryman at sonic.net
Tue Oct 14 15:07:00 PDT 2003


On Sat, Oct 11, 2003 at 03:40:07AM -0700, Steve Johnson wrote:
> I was just wondering (yah I cant sleep again :P)  Is there a good guide 
> out there that walks you through checking your system to see if it has 
> been hacked?  I know most boxes are rooted by script kiddies, and as a 
> matter of fact the last 3 or more machines that I detected an intruder, 
> the kiddies were to stupid to clean their tracks.  (left directories 
> like ... or ". something")

/me is behind on e-mail again...

Check out <http://www.chkrootkit.org/>
It's a shell script that detects common rootkits, along with a few utils
for detecting log modification etc.  You can page through the shell script
to get an idea of the kinds of things to look for when examining a
suspect system.

If you suspect a box has been compromised don't trust common tools such
as 'ps' and 'top' since they are commonly replaced with tools which have
been modified to hide any processes or users that the intruder has
created.  A cdrom with statically linked binaries is a nice tool to
have.  'chkproc' which comes with chkrootkit is a nice tool as well --
it compares the output from ps with the processes listed in /proc


-troy





More information about the talk mailing list