On Oct 5, 2007, at 9:19 AM, Raj Kiran Grandhi wrote:
Hi,
There is an article on slashdot,
http://it.slashdot.org/article.pl?sid=07/10/05/1234217&from=rss
which says that most of the phishing sites are being run from
rootkitted linux boxes. I dunno how accurate their analysis is (the
results were not released), however I wonder if there is any way to
establish whether a given machine is compromised or not.
Are there any tools available that one can run on a regular basis?
What measures can we take to ensure that we are somehow alerted if
our system gets compromised?
This can be a tricky question because if a system *does* get
rootkitted, the illicit activity may be hidden from any software or
utilities you're running on the system. That said, people sometimes
get sloppy and I have seen compromised machines where there were
obvious processes running in 'ps ax' that shouldn't have been there.
It's good to get in the habit of running 'ps ax' occasionally --
you'll get a feel for what normal activity looks like, and anything
unusual will stick out.
When trying to detect phishing sites and the like, you have an
advantage because these things have to be visible from the outside.
I like to port scan my boxes occasionally and see if any ports are
listening that I don't recognize. (Programs like 'portsentry' can
clutter this up; I don't particularly like them for that reason.)
This could be automated if you like -- you could run nmap and log the
output, then diff each day's log against the previous day's and email
the output.
I regularly rsync the contents of my web directory (and several other
directories) for backup purposes. I have the list of changed files
from this script emailed to me nightly. If something has changed and
I didn't change it, I know something's up. At very least you might
want to run "du" on your web directory every so often to make sure a
few hundred megabytes of porn haven't magically appeared there.
(Yes, I've seen it happen. No, it wasn't my system.)
Be suspicious of any sudden, unexplained increase in network
activity, especially outgoing. If your connection seems slow all of
a sudden, or if your router traffic graphs are suddenly showing lots
of activity, run 'iftop' or something like it and find out why.
If you have multiple machines, consider having syslog forward log
messages between them. Often the first thing an attacker does after
compromising a machine is delete the logs. If you have a copy on
another system, you'll have a better chance of figuring out what
happened later. A utility like "logcheck" that emails you activity
reports can be useful, but these often require a bit of tuning to
avoid getting constantly emailed about innocuous activity.
Hope this helps. There's no one thing you can do; mostly it's a
matter of being aware of what's going on on your system.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
