Re: Help, my machine has been hacked

From: Tim Haynes (usenet@stirfried.vegetable.org.uk)
Date: 04/07/02 

From: Tim Haynes <usenet@stirfried.vegetable.org.uk>
Date: Sun, 07 Apr 2002 14:21:24 +0100

"B. Joshua Rosen" <bjrosen@polybus.com> writes:

>> So, any known(by chkrootkit) rootkit wasn't installed. It's a time to
>> check for new accouts (take a look at /etc/passwd), changes in
>> /etc/inetd.conf(or xinetd if you're using it), take a look at your
>> /etc/rc.d/ starting scripts, since they could run something at start-up,
>> also take a look at processes running in your system(ps -auxww), ports
>> opened (netstat -tupan), environment changes(`which env`) etc.
>>
>
> Did the netstat, nothing open
> Did the ps, nothing suspicious

That's what you'd expect from *cracked* versions of the above, as well as
normal, bear in mind.

This is the situation where I think nmap-ing yourself makes more sense than
running netstat - when the box's security is uncertain.

> I've also checked my secure shell logs and the message logs and there is
> no record of anyone logging in from the outside with the exception of
> myself. I've become convinced that I was falsely accused and that my
> systems have not been compromised. To be on the safe side I've ordered a
> Linksys router which will give me another level of protection, it will
> also give me wireless access as a side benfit.

Toys are good :) ... but what I'd worry about most is, if you're going to
open port 22 to the outside world, be it directly on your firewall box or
through a hardware firewall with DNAT - it matters not which, then you need
to protect the sshd listening there. If you provide port 80 to the outside
world, the httpd listening there must be protected. Yadda.

To this end, I'd suggest you install snort on the linux box so you can pick
up anomalies - eg invalid-flag port-scans and other known "fingerprints" of
standard attacks, and retain an *iptables* firewall on the linux box itself
so you can (a) double-check the effectiveness of the hardware box and (b)
filter invalid packets, in particular tcp scans with invalid flags, where
the hardware box might not do this for you. (If it does, well, it's less
urgent and another toy for you to play with.)

~Tim 

-- 
Wind through the barley                     |piglet@stirfried.vegetable.org.uk
Your early dream                            |http://spodzone.org.uk/
A rising choir of birdsong                  |
Your fields of summer green                 |