[UFO Chicago] Detecting a H4X0R

Jesse Becker jesse_becker at yahoo.com
Fri Sep 12 15:35:00 CDT 2003 

--- m.mccune at comcast.net wrote:
> You also might want to download and run chkrootkit. Get
> it from the official 
> Web site, since the version included in most distros is
> usually outdated.
> 
> www.chkrootkit.org

I'll second a vote for this program.  Just make sure that
you compile it on a trusted host.  I forget if the binaries
are all statically linked, but if you suspect a computer is
cracked, the system libraries on that box are suspect as
well...

Since it's a Mandrake distribution, you can use RPM to help
verifiy the files.  I think the command is "rpm -Va" to
verifiy everything.  There will be a lot of false positives
for changes that are "okay" (certain config files, etc). 
Naturally, the cracker could have compromised the RPM
database as well, not to mention the rpm binary itself.

Basically, you need to take the box down, boot off trusted
media (that LNX-BBC cd Nate keeps giving out would work
fine. <grin>), and investigate.

> > Could very well be -- look for rootkits (usually
> directories stored in
> > sneaky places, like in /dev/ named after device files
> or .xx -style
> > directories in places.) and for binaries on your system
> that don't match
> > what RPM says they should be, size-wise.

I've personally found "..." and ".. " directories on boxes
people have had me look at (not my own...yet...).  Bear in
mind that programs like "find" are common targets for
compromise, specifically because they can be used to find
the break-in.

> > > automatically banned me.  According to the server, my
> system was 
> > > detected broadcasting its information on the network,

Broadcasting what kind of information?  To me, this sounds
overly paranoid.  Then again, I don't lurk on Dalnet
either.

You want to do "computer forensics," essentially.  This
looks interesting: 
http://www.linux-forensics.com/downloads.html

There's plenty of stuff out there on the topic.

Good luck, and I hope you don't find anything. :-)


=====
Jesse Becker
GPG-fingerprint:  BD00 7AA4 4483 AFCC 82D0  2720 0083 0931 9A2B 06A2

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

More information about the ufo mailing list