[UFO Chicago] Detecting a H4X0R

d.w. harks dave at psys.org
Fri Sep 12 10:08:30 CDT 2003 

Could very well be -- look for rootkits (usually directories stored in
sneaky places, like in /dev/ named after device files or .xx -style
directories in places.) and for binaries on your system that don't match
what RPM says they should be, size-wise.

Also, if there's anything running that normally isn't, look at killing it
off. It depends a lot on how good the hacker is -- some of them will kill
the last log, others won't.

Use netstat to look for active connections that shouldn't be there, and use
ethereal to watch your network for traffic attempting to go to DALNet when
you're not.

Good luck -- can be a real pain to track these things down.

dave

With carefully-arranged electrons, Larry Garfield wrote:
> So the other day I went to log into Dalnet, and the network 
> automatically banned me.  According to the server, my system was 
> detected broadcasting its information on the network, which Dalnet 
> interprets as my system having been hacked.
> 
> I started poking around my system and didn't see anything imediately 
> obvious, but then, I don't really know what I should be looking for.  So 
> I ask y'all for advice, since this is the first time that I've had a 
> possible hack.  What should I be looking for to determine if the system 
> has been compromised?  What's the likelyhood that it has been cracked 
> vs. Dalnet being overly paranoid?
> 
> I've been planning to upgrade and/or reinstall this system soon anyway, 
> so the timing is good, but I figured I may as well make a learning 
> experience out of it.  The system is Mandrake 9.0 with some patches (I 
> confess I've not kept up with as many as I should have), behind a NAT 
> router box that only forwards a few select ports (HTTP, FTP, SSH, etc.).
> 
> Any tips for what I should be looking for?
> 
> -- 
> Larry Garfield			AIM: LOLG42
> larry at garfieldtech.com		ICQ: 6817012
> 
> "If nature has made any one thing less susceptible than all others of 
> exclusive property, it is the action of the thinking power called an 
> idea, which an individual may exclusively possess as long as he keeps it 
> to himself; but the moment it is divulged, it forces itself into the 
> possession of every one, and the receiver cannot dispossess himself of 
> it."  -- Thomas Jefferson
> 
> 
> _______________________________________________
> UFO Chicago -- Users of Free Operating Systems
> Free Software Rules -- Proprietary Drools!
> http://ufo.chicago.il.us/cgi-bin/mailman/listinfo/ufo

-- 
David W. Harks <dave at psys.org>  http://dwblog.psys.org

More information about the ufo mailing list