Re: Been hacked
From: Jim Patterson (jim_patterson_at_comcast.net)
Date: Fri, 14 Nov 2003 16:27:46 GMT
> On Fri, 14 Nov 2003 02:26:47 -0500, Jim Patterson wrote:
>>>On Thu, 13 Nov 2003 23:38:19 -0500, Jim Patterson wrote:
>>>>It appears one of my firewalls was hacked. I don't know how yet. But
>>>>that is what I came to ask. Is or how would I go about monitoring what
>>>>this guy is doing? I'd really like to figure out how far this guy has
>>>>gotten beyond my firewall. Or whether he got through the firewall at
>>>>all and just got to it from the inside? Any suggestions would be
>>>You haven't given any information as a basis for any but the most
>>>How do you know that you have been hacked?
>>>What os are you running; what services are exposed to the public; what
>>>services are open on a LAN; have you applied all security updates?
>>>What are the exact versions of all the services that you are running?
>>>For all anyone could tell from your message, you are running Windows 98
>>>SE unpatched, and you got the blaster worm. How would anyone know
>>>ps. If you think your system has been hacked, you should disconnect it
>>>from the public network, NOW!! Thanks.
>>The system is running linux with an iptables firewall. There is a
>>monitoring program which is missing and there is another monitoring
>>program which is not working correctly. The firewall is intact. Going
> What monitoring program were you using that is now missing? What
> monitoring program were you using that is not working correctly? I don't
> necessarily know the answer to your needs, but you have so far not made
> your situation clear enough for any "answer", as far as I can tell.
>>over the what's in place and what's missing I believe that this was
>>hacked from someone inside the firewall. I have monitored the system for
>>a couple of hours with ethereal and do not see extraneous attempts to
>> From what I have seen thus far, I surmise that this was someones way of
>>saying, see I can hack into your linux box. The firewall was set to
>>mainly log external communications and currently
>> is not monitoring internal communications.
>>My current plan is to reinstall the system and place everything the same
>>as it was before. I also need to put in place a means of monitoring
>>this system as stealthily as possible, I also need to consider that this
>>person may be working in the computer group and does know something
>>about covering/minimizing their tracks and may be able to access this
>>computer from multiple systems.
> If there is someone knowledgeable with inside access to your system, s/he
> may (obviously) know more about your system than you have said here so
>>I do not know of a tool which will tell me immediately if someone is
>>manipulating files on a system?
> If your system is hacked, you cannot trust any executables on that system
> to give you trustworthy results. You should only be trusting utilities
> and executables that are running from (for example) CD-ROM or other
> read-only media.
> You haven't yet said anything to indicate that you have indeed been
> hacked, except that you have two monitoring programs (that you did not
> identify) that are not working. There could be other reasons they are not
> working, but you haven't been specific about this.
> I repeat:
> If you think your system has been hacked, you should disconnect it from
> the public network, NOW!! Thanks.
Is there a program out there that will monitor a system and indicate
immediately if someone is modifying files? Low cost?