[NTLUG:Discuss] Have I been Hacked?

Tom Woody woody at nfri.com
Mon Apr 1 17:57:30 CST 2002 

Just to be safe, I would make a floppy disk with "clean" versions of ifconfig, netstat, ls, ps, du, then check the file sizes, make sure you don't have any crazy stuff bound to your network card, etc.  Also the clean ps will show any processes that shouldn't be running.  Then that is the only way to find out if you have been compromised. The clean du will be useful in finding if there are any hidden directories (esp, in /dev - ie /dev/tttyXX, or your generic ... directories).

If the machine was compromised by someone it was either done by a very poor rootkit, or a scriptkiddie who doesn't know up from down.  The machines that I found rooted (ps wouldn't show anything out of the ordinary - cause it was trojaned).  Another thing to do if you have another machine is to scan it with Nmap, the more popular ports for a rootkit show up as such with nmap.

When I started working where I am now, 3 machines had been rooted, it was a good learning tool to go through and find the points of entry and what was done (one was being used as a warez dropoff).   

On Mon, 01 Apr 2002 06:53:05 -0600
Jason Ferguson <jferg3 at swbell.net> wrote:

> So, Im sitting at my system before heading to work this morning and for
> some reason, the hard drive is running (and all Im doing is looking at a
> website). So, either konqueror has a nasty memory leak (wouldnt suprise
> me) or something weird is going on.
> 
> A top showed that "find" was running, which seemed odd. A "ps ax" showed
> several things that may or may not have been legit, but two things
> jumped out at me:
> 
> 
> 13485 ?        S      0:00 /USR/SBIN/CRON
> 21211 ?        R      0:00 find / -xdev ( -false ) -prune -o ( -type f
> -perm +06000 -o ( ( -type b -o -type c ) -a -not ( -false ) ) ) -printf
> %8i %5m %3n %-10u %-10g %9s %t %h/%f?n
> 
> The first one: why the capital letters? Never seen them before.
> The second: wtf is this command trying to do?
> 
> I suspect I opened a hole last week by opening the Xwindows ports so I
> could do a xhost +localhost to let root run applications. But, I a quick
> check of some of the programs that a rootkit would replace: ie ps and
> netstat, and they arent small (ps is about 58k and netstat is nearly
> 87k).
> 
> Thanks,
> 
> Jason
> 


-- 
Tom Woody
Systems Administrator
NationWide Flood Research, Inc.
phone: 214-631-0400 x209
  fax: 214-631-0800

If you have any trouble sounding condescending,
find a Unix user to show you how it's done.
		--Scott Adams

More information about the Discuss mailing list