On Sun, 7 Jan 2001, Scott Skrogstad wrote:
> If I have been hacked? Someone sent me mail and said that someone used a
> machine on my network to launch an attack on them. But how do I tell?
There is no simple, easy way to tell. Computer security is all about
knowing your systems well, investigating any suspicious activity, frequent
security audits, and regular comprehensive audits. If you are serious
about security, also having external audits every year or two is a good
idea. I know this doesn't really answer your question, but I really need
to point out that there are no shortcuts in security.
First thing you should do is change all passwords. You should also
suspend the use of any privledged keys that could have been compromised
until you can establish that the system wasn't hacked.
If you have an IDS like TripWire, it probably has a record of anything
unusual. You should check there first. If you don't use an IDS then you
should at least run 'rpm -ya' which will report any files that have
changed since you installed RedHat.
You should scour your logs, your configuration files, your process list,
your network connections, and check your filesystem for anything out of
the ordinary. Network connections to hosts you don't recognize or
processes that you don't recognize are a sure sign of bad things, but good
root kits commonly replace ps and netstat to hide this. Check your
filesystem for unusual directories (like '. ' or '.. ').
This should get you started at least. Be paranoid.
thornton
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
