Simple and Basic Tips and Tricks: How to tell if your Linux box been cracked

Bruce F Lucca lucca at Buffalo.com
Mon Oct 15 20:51:15 EDT 2001 

HOW TO TELL IF YOUR LINUX BOX HAS BEEN CRACKED
(Source: LinuxWorld.com) Tips and tricks script kiddies use
to hide themselves when they break into your Linux machine.
<http://www.idg.net/go.cgi?id=572694>
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

How to tell if your Linux box been cracked

Tips and tricks script kiddies use to hide themselves
when they break into your Linux machine.

Summary
The smart security question to ask yourself is,
'Is everything normal?' A common trick
crackers use is to replace the ps command.
How to detect 'root kits.' (850 words)

By Joshua Drake

(LinuxWorld) -- Over the last two weeks, I've discussed how to prevent
crackers from gaining access to your Linux computer 
(see 10 minutes to an iptables-based Linux firewall 
<http://www.linuxworld.com/site-stories/2001/0920.ipchains.html>

and 

how to stop crackers with PortSentry). 
<http://www.linuxworld.com/site-stories/2001/1002.portsentry.html>

This week, we continue the series with ways you can tell if
someone has cracked your machine.

Script kiddie are the worse kinds of crackers, primarily because there are
so many of them and most of them are unskilled. It is one thing to be
cracked when you have put in all the correct patches, have a tested
firewall, and run advanced intrusion detection actively on multiple levels.
It is another when you are cracked because you were lazy and didn't, for
example, install the latest patch to BIND.

It's embarrassing to be cracked because you weren't paying attention.
It's aggravating to realize that some script kiddie downloaded one of
many well known "root kits" or publicly available exploits, and is having a
party with your CPU, storage, data, and bandwidth. How do these villains
get started? With "warez," which often consists of a root kit.

A root kit is a software package that a cracker uses to provide himself
(and it's usually a "he") with root-level access on your machine. Once the
cracker has root access on your machine, it is all over. The only method
of recourse that is truly effective is to back up your data, wipe the disks,
and reinstall the operating system. However, it is not always easy to
discover that someone has taken over your machine.

Can you trust your ps command?

The first trick in finding a root kit would is to run the command ps.
Chances are that everything will look normal to you. Here is an example
ps output:

PID TTY      STAT   TIME COMMAND
1 ?        S      0:05 init
2 ?        SW     0:00 [kflushd]
3 ?        SW     0:00 [kupdate]
4 ?        SW     0:00 [kswapd]
5 ?        SW     0:00 [keventd]
6 ?        SW     0:00 [mdrecoveryd]
2655 ?        S      0:01 syslogd -m 0
2664 ?        S      0:00 klogd
2678 ?        S      0:01 identd -e -o
2685 ?        S      0:02 identd -e -o
2686 ?        S      0:56 identd -e -o
2688 ?        S      0:55 identd -e -o
2690 ?        S      0:01 identd -e -o
2696 ?        S      0:00 /usr/sbin/atd
2710 ?        S      0:00 crond
2724 ?        S      0:00 inetd
[...]

The real question is, however, "Is everything actually normal?" A common
trick that a cracker will use is to replace the ps command. The replaced
version will mask illicit programs running on your machine. To test this,
check the size of your ps application. It is usually located in /bin/ps. On
our Linux machines it is about 60 kilobytes. I recently encountered a root
kit that had replaced the ps program. The compromised ps from the root
kit was only 12 kilobytes in size.

Another obvious trick is the linking of root's command history file to
/dev/null. The command history file is used to track and log commands
that are issued by a user when they log into a Linux machine. Crackers
will redirect your history file to /dev/null so that you can not see what
commands they were typing.

You can access your history file by typing history at your shell prompt. If
you find yourself using the history command, and it does not display any
previously used commands, take a look at your ~/.bash_history file. If the
file is empty, perform a ls -l ~/.bash_history. When you perform the previous
command you should see something similar to the following:

-rw-------    1 jd   jd   13829 Oct 10 17:06 /home/jd/.bash_history

However, you may see something like this:

lrwxrwxrwx    1 jd   jd   9 Oct 10 19:40 /home/jd/.bash_history -> /dev/null

If you see the above, the .bash_history file has been redirected to
/dev/null. This is a dead giveaway. Take your machine off the Internet
now, back up your data (if you can), and begin a reinstallation.

Look for unknown user accounts

While you are playing detective on your Linux machine, it is always smart
to check for unknown user accounts. The next time you log into your
Linux box, type the following command:

grep :x:0: /etc/passwd

The only line, I repeat, the only line that the grep command should return
on a standard Linux installation is something similar to the following:

root:x:0:0:root:/root:/bin/bash

If your system returns more than one line with the previous grep
command, you may have a problem. There should only be one user with
the UID of 0 and if that grep command returns more than one line, you
have more than one.

Finally, the quickest and easiest way to know if you have been cracked is
to check and see if are running IIS.

Seriously, though these are all good basics to know about the nature of
the script kiddie, these tricks will not in and of themselves make up for
good security, and they do not even touch on the depth in which we can
go into the topic of intrusion detection.

My suggestion is that if you suspect a real problem, call a Linux security
professional and get references. Linux security is not a 10-minute job.

Also, study the resources listed below. Network World Fusion, for
example, recently conducted a comparative review of 42 hardware and
software-based intrusion-detection tools, many of which work with Linux.

About the author
Joshua Drake is the co-founder of Command Prompt, Inc.,
<http://www.commandprompt.com/>
a PostgreSQL and Linux custom development company. He is also
the current author of the Linux Networking HOWTO, Linux PPP
HOWTO, and Linux Consultants HOWTO. 

His most demanding project at this time is a new PostgreSQL book 
for O'Reilly, Practical PostgreSQL.
<http://stage.linuxports.com/projects/postgres/book1.htm>
    |-=-=-=-=-=-=-=-=-=-=-<-30->-=-=-=-=-=-=-=-=-=-=-|

More information about the nflug mailing list