[NTLUG:Discuss] crack autopsy

[sdenny]

If you use RPMs, there are options (which escape me at the
moment) to verify all the files that rpm installs, and flags the
ones that have changed.

Its rather easy to take a look at the list and know which ones in
/etc you have edited, and which ones (particularly binaries)
should not have changed.  Its not foolproof, but its a really
decent way to start looking at a compromised box.

As for /etc, I like emacs feature to display by date.  That way
the last ones edited are at the top and easy to spot files/dates
that shouldn't be there.

Others have already suggested looking at the inetd.conf.

Also, you might just do a ps axuw and see what is running that
you might not recognize.

After you've got everything cleaned up to your satisfaction,
make syslog log to another box, and set up tripwire to help you
next time it happens, and it will.

Finally, its likely the two IPs you see are from already
compromised boxes and you are not being attacked by their owners,
but its worth checking out with their appropriate network
operators.

Regards,

Stephen Denny                                 mailto:sdenny at hex.net
Hex.Net Superhighway                             http://www.hex.net