SGWHT Veteran Member
Join Date: 07-02-2003
Before the checklist my advice is:
- Dont wait to be Hacked! Use the various HOW-TOs here to secure your box from day one
- Dont think of security as something you need to do after the fact,security must be your hourly/daily mindset
Now,theres a lot of stuff on this subject,but to start off with,this section from the Red Hat Linux Guide is a good place to start.
The first thing an intruder typically does is install a "rootkit". There are many prepackaged rootkits available on the Internet. The rootkit is essentially a script,or set of scripts,that makes quick work of modifying the system so the intruder is in control,and he is well hidden. He does this by installing modified binaries of common system utilities and tampering with log files or by using special kernel modules that achieve similar results. So common commands like ls may be modified so as to not show where he has his files stored. Clever!
A well designed rootkit can be quite effective. Nothing on the system can really be trusted to provide accurate feedback. Nothing! But sometimes the modifications are not as smooth as intended and give hints that something is not right. Some things that might be warning signs:
This will look for any "immutable" files in roots PATH,which is almost surely a sign of trouble since no standard distributions ship files in this state. If the above command turns up anything at all,then plan on completely restoring the system (see below). A quick sanity check:
This is just to verify the system is not tampered with to the point that lsattr is completely unreliable. The third line is exactly what you should see.
Sometimes the intruder is not so smart and forgets about roots .bash_history, or cleaning up log entries,or even leaves strange leftover files in /tmp. So these should always be checked too. Just dont necessarily expect them to be accurate. Often such left behind files or log entries will have obvious script kiddie sounding names,e.g. "r00t.sh".
Interpreting sniffer output is probably beyond the grasp of the average new user.
As mentioned,a compromised system will undoubtedly have altered system binaries,and the output of system utilities is not to be trusted. Nothing on the system can be relied upon to be telling you the whole truth. Re-installing individual packages may or may not help since it could be system libraries or kernel modules that are doing the dirty work. The point here is that there is no way to know with absolute certainty exactly what components have been altered.
You can use rpm -Va |less to attempt to verify the integrity on all packages. But again there is no assurance that rpm itself has not been tampered with,or the system components that RPM relies on.
If you have pstree on your system,try this instead of the standard ps. Sometimes the script kiddies forget about this one. No guarantees though that this is accurate either.
You can also try querying the /proc filesystem,which contains everything the kernel knows about processes that are running:
This will provide a list of all processes and PID numbers (assuming a malicious kernel module is not hiding this).
Another approach is to visit http://www.chkrootkit.org,download their rootkit checker,and see what it says.