[UFO Chicago] Detecting a H4X0R

m.mccune at comcast.net m.mccune at comcast.net
Fri Sep 12 18:53:13 CDT 2003 

You also might want to download and run chkrootkit. Get it from the official 
Web site, since the version included in most distros is usually outdated.

www.chkrootkit.org
> Could very well be -- look for rootkits (usually directories stored in
> sneaky places, like in /dev/ named after device files or .xx -style
> directories in places.) and for binaries on your system that don't match
> what RPM says they should be, size-wise.
> 
> Also, if there's anything running that normally isn't, look at killing it
> off. It depends a lot on how good the hacker is -- some of them will kill
> the last log, others won't.
> 
> Use netstat to look for active connections that shouldn't be there, and use
> ethereal to watch your network for traffic attempting to go to DALNet when
> you're not.
> 
> Good luck -- can be a real pain to track these things down.
> 
> dave
> 
> With carefully-arranged electrons, Larry Garfield wrote:
> > So the other day I went to log into Dalnet, and the network 
> > automatically banned me.  According to the server, my system was 
> > detected broadcasting its information on the network, which Dalnet 
> > interprets as my system having been hacked.
> > 
> > I started poking around my system and didn't see anything imediately 
> > obvious, but then, I don't really know what I should be looking for.  So 
> > I ask y'all for advice, since this is the first time that I've had a 
> > possible hack.  What should I be looking for to determine if the system 
> > has been compromised?  What's the likelyhood that it has been cracked 
> > vs. Dalnet being overly paranoid?
> > 
> > I've been planning to upgrade and/or reinstall this system soon anyway, 
> > so the timing is good, but I figured I may as well make a learning 
> > experience out of it.  The system is Mandrake 9.0 with some patches (I 
> > confess I've not kept up with as many as I should have), behind a NAT 
> > router box that only forwards a few select ports (HTTP, FTP, SSH, etc.).
> > 
> > Any tips for what I should be looking for?
> > 
> > -- 
> > Larry Garfield			AIM: LOLG42
> > larry at garfieldtech.com		ICQ: 6817012
> > 
> > "If nature has made any one thing less susceptible than all others of 
> > exclusive property, it is the action of the thinking power called an 
> > idea, which an individual may exclusively possess as long as he keeps it 
> > to himself; but the moment it is divulged, it forces itself into the 
> > possession of every one, and the receiver cannot dispossess himself of 
> > it."  -- Thomas Jefferson
> > 
> > 
> > _______________________________________________
> > UFO Chicago -- Users of Free Operating Systems
> > Free Software Rules -- Proprietary Drools!
> > http://ufo.chicago.il.us/cgi-bin/mailman/listinfo/ufo
> 
> -- 
> David W. Harks <dave at psys.org>  http://dwblog.psys.org
> 
> _______________________________________________
> UFO Chicago -- Users of Free Operating Systems
> Free Software Rules -- Proprietary Drools!
> http://ufo.chicago.il.us/cgi-bin/mailman/listinfo/ufo

More information about the ufo mailing list