Fwd: Simple and Basic Tips and Tricks: How to tell if your Linux
box been cracked
Robert Romito
robromito at yahoo.com
Wed Oct 17 15:57:46 EDT 2001
I read the related article by Joshua titled "10 minutes to an iptables-based
Linux firewall". His suggestion for building a simple, secure iptables ruleset
was interesting. The suggestion is that dropping all inbound SYN packets will
give you a simple, yet secure firewall:
/sbin/iptables -A INPUT -p tcp --syn -j DROP
I'm interested in opinions on how secure this simple ruleset is. If you don't
offer any services on your Linux server, will this simple ruleset adequately
secure your system from inbound attacks? It looks secure to me, but I'm not a
security expert.
--- Bruce F Lucca <lucca at Buffalo.com> wrote:
> Date: Mon, 15 Oct 2001 20:51:15 -0400
> To: "Niagara Frontier Linux Users' Group" <nflug at nflug.org>
> From: Bruce F Lucca <lucca at Buffalo.com>
> Subject: Simple and Basic Tips and Tricks: How to tell if your Linux
> box been cracked
> CC: Devon Null <devnull at butcherfamily.com>
> Reply-to: nflug at nflug.org
>
> HOW TO TELL IF YOUR LINUX BOX HAS BEEN CRACKED
> (Source: LinuxWorld.com) Tips and tricks script kiddies use
> to hide themselves when they break into your Linux machine.
> <http://www.idg.net/go.cgi?id=572694>
> |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
>
> How to tell if your Linux box been cracked
>
> Tips and tricks script kiddies use to hide themselves
> when they break into your Linux machine.
>
> Summary
> The smart security question to ask yourself is,
> 'Is everything normal?' A common trick
> crackers use is to replace the ps command.
> How to detect 'root kits.' (850 words)
>
> By Joshua Drake
>
> (LinuxWorld) -- Over the last two weeks, I've discussed how to prevent
> crackers from gaining access to your Linux computer
> (see 10 minutes to an iptables-based Linux firewall
> <http://www.linuxworld.com/site-stories/2001/0920.ipchains.html>
>
> and
>
> how to stop crackers with PortSentry).
> <http://www.linuxworld.com/site-stories/2001/1002.portsentry.html>
>
> This week, we continue the series with ways you can tell if
> someone has cracked your machine.
>
> Script kiddie are the worse kinds of crackers, primarily because there are
> so many of them and most of them are unskilled. It is one thing to be
> cracked when you have put in all the correct patches, have a tested
> firewall, and run advanced intrusion detection actively on multiple levels.
> It is another when you are cracked because you were lazy and didn't, for
> example, install the latest patch to BIND.
>
> It's embarrassing to be cracked because you weren't paying attention.
> It's aggravating to realize that some script kiddie downloaded one of
> many well known "root kits" or publicly available exploits, and is having a
> party with your CPU, storage, data, and bandwidth. How do these villains
> get started? With "warez," which often consists of a root kit.
>
> A root kit is a software package that a cracker uses to provide himself
> (and it's usually a "he") with root-level access on your machine. Once the
> cracker has root access on your machine, it is all over. The only method
> of recourse that is truly effective is to back up your data, wipe the disks,
> and reinstall the operating system. However, it is not always easy to
> discover that someone has taken over your machine.
>
> Can you trust your ps command?
>
> The first trick in finding a root kit would is to run the command ps.
> Chances are that everything will look normal to you. Here is an example
> ps output:
>
> PID TTY STAT TIME COMMAND
> 1 ? S 0:05 init
> 2 ? SW 0:00 [kflushd]
> 3 ? SW 0:00 [kupdate]
> 4 ? SW 0:00 [kswapd]
> 5 ? SW 0:00 [keventd]
> 6 ? SW 0:00 [mdrecoveryd]
> 2655 ? S 0:01 syslogd -m 0
> 2664 ? S 0:00 klogd
> 2678 ? S 0:01 identd -e -o
> 2685 ? S 0:02 identd -e -o
> 2686 ? S 0:56 identd -e -o
> 2688 ? S 0:55 identd -e -o
> 2690 ? S 0:01 identd -e -o
> 2696 ? S 0:00 /usr/sbin/atd
> 2710 ? S 0:00 crond
> 2724 ? S 0:00 inetd
> [...]
>
> The real question is, however, "Is everything actually normal?" A common
> trick that a cracker will use is to replace the ps command. The replaced
> version will mask illicit programs running on your machine. To test this,
> check the size of your ps application. It is usually located in /bin/ps. On
> our Linux machines it is about 60 kilobytes. I recently encountered a root
> kit that had replaced the ps program. The compromised ps from the root
> kit was only 12 kilobytes in size.
>
> Another obvious trick is the linking of root's command history file to
> /dev/null. The command history file is used to track and log commands
> that are issued by a user when they log into a Linux machine. Crackers
> will redirect your history file to /dev/null so that you can not see what
> commands they were typing.
>
> You can access your history file by typing history at your shell prompt. If
> you find yourself using the history command, and it does not display any
> previously used commands, take a look at your ~/.bash_history file. If the
> file is empty, perform a ls -l ~/.bash_history. When you perform the previous
> command you should see something similar to the following:
>
> -rw------- 1 jd jd 13829 Oct 10 17:06 /home/jd/.bash_history
>
> However, you may see something like this:
>
> lrwxrwxrwx 1 jd jd 9 Oct 10 19:40 /home/jd/.bash_history -> /dev/null
>
> If you see the above, the .bash_history file has been redirected to
> /dev/null. This is a dead giveaway. Take your machine off the Internet
> now, back up your data (if you can), and begin a reinstallation.
>
> Look for unknown user accounts
>
> While you are playing detective on your Linux machine, it is always smart
> to check for unknown user accounts. The next time you log into your
> Linux box, type the following command:
>
> grep :x:0: /etc/passwd
>
> The only line, I repeat, the only line that the grep command should return
> on a standard Linux installation is something similar to the following:
>
> root:x:0:0:root:/root:/bin/bash
>
> If your system returns more than one line with the previous grep
> command, you may have a problem. There should only be one user with
> the UID of 0 and if that grep command returns more than one line, you
> have more than one.
>
> Finally, the quickest and easiest way to know if you have been cracked is
> to check and see if are running IIS.
>
> Seriously, though these are all good basics to know about the nature of
> the script kiddie, these tricks will not in and of themselves make up for
> good security, and they do not even touch on the depth in which we can
> go into the topic of intrusion detection.
>
> My suggestion is that if you suspect a real problem, call a Linux security
> professional and get references. Linux security is not a 10-minute job.
>
> Also, study the resources listed below. Network World Fusion, for
> example, recently conducted a comparative review of 42 hardware and
> software-based intrusion-detection tools, many of which work with Linux.
>
> About the author
> Joshua Drake is the co-founder of Command Prompt, Inc.,
> <http://www.commandprompt.com/>
> a PostgreSQL and Linux custom development company. He is also
> the current author of the Linux Networking HOWTO, Linux PPP
> HOWTO, and Linux Consultants HOWTO.
>
> His most demanding project at this time is a new PostgreSQL book
> for O'Reilly, Practical PostgreSQL.
> <http://stage.linuxports.com/projects/postgres/book1.htm>
> |-=-=-=-=-=-=-=-=-=-=-<-30->-=-=-=-=-=-=-=-=-=-=-|
>
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
More information about the nflug
mailing list