How do I tell I was hacked?

From: richard childers / kg6hac (fscked_at_pacbell.net)
Date: 06/12/04

  • Next message: Lupe Christoph: "Re: Hacked or not appendice" 
    Date: Sat, 12 Jun 2004 07:04:54 -0700
To: freebsd-security@freebsd.org

    >
    >
    >Date: Sat, 12 Jun 2004 13:15:33 +0200
    >From: "Peter Rosa" <prosa@pro.sk>
    >Subject: Hacked or not ?
    >To: "FreeBSD Security" <freebsd-security@freebsd.org>
    >Message-ID: <016301c4506e$947644e0$3501a8c0@pro.sk>
    >
    >Hi all,
    >
    >please advice me - I was on holidays for one week. After return I found in
    >security mails from router (chkrootkit) following message:
    >Checking `lkm'... You have 1 process hidden for readdir command
    >You have 1 process hidden for ps command
    >Warning: Possible LKM Trojan installed
    >
    >It apeared only onece. From previous and next days reports, the message is
    >not present.
    >
    >How could I be sure, the machine is not hacked ?
    >
    >

    [1] Make backups. tar(1), dump(8), doesn't matter.
    [2] Reinstall identical operating system on new equipment.
    [3] Restore backups into large partition sized for this operation
    (call it '/backups').
    [4] Compare the contents of each directory in /backups recursively
    against a known
            good copy, For example, to compare /usr against the backed-up
    image, do this:

        # diff -r /usr /backups/usr

    [5] Review the list for files which differ or which do not exist on
    the known good copy.
    [6] Exclude files for which there are good reasons for difference (IE,
    logs and state files).
    [7] Analyze the resulting files; pay particular attention to
    executables, but also libraries.

    You may also find it useful to reload the old operating system onto a
    box on an insulated network and monitor the operating system, its
    processes and its network traffic, using known good tools.

    Regards,

    -- richard 

    -- 
Richard Childers / Senior Engineer
Daemonized Networking Services
945 Taraval Street, #105
San Francisco, CA 94116 USA
[011.]1.415.759.5571
http://www.daemonized.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (FreeBSD)
mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC
Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G
FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y
RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9
tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q
UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T
co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q
8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa
aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB
IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u
ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW
TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/
q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ
i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7
uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W
Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E
dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH
5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip
1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU
M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ
nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr
anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP
QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM
yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj
F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6
=ZaJO
-----END PGP PUBLIC KEY BLOCK-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Lupe Christoph: "Re: Hacked or not appendice"

    Relevant Pages

    • Re: Threat - Operating System Detected
      ... Number one use a properly configured firewall to protect your network from ... and having a strategy to keep current with critical security updates. ... > Several different techniques can be used to identify the operating system ...
      (microsoft.public.win2000.security)
    • Re: Internet Explore Security
      ... I am going to reinstall the operating system again... ... >> commented about scanning in safe mode. ... >> theWireless network connections properties to make my connection ... > I can't comment on any problems you had with System Restore and NIS, ...
      (microsoft.public.windowsxp.network_web)
    • Re: Biometrics
      ... You are asserting that one single vulnerability allows "military and top secrets to be leaked" and thus requires the use of some other operating system. ... within a network for internal safety reasons and potentially to act as ... Chris's distinction between the Internet and "a network" (presumably ...
      (microsoft.public.security)
    • Re: Worthless
      ... Candidates for this exam operate in medium to very large computing ... implementing and administering any desktop operating system in a network ... administering a network operating system in environments that have the ...
      (microsoft.public.cert.exam.mcse)
    • Re: Funky machine
      ... Install another license of the trend 3 pack I just bought for the new system. ... Should Xp install from CD with no network connection? ... oldest operating system first as the newer operating system may overwrite ... hardware issues. ...
      (microsoft.public.windowsxp.security_admin)