break-in, help needed

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

/var/log/secure shows some succesfull break-in attempts from various
places. I've changed passwords and enabled TCP Wrapper.

Is there a way to know if something was altered? My only idea was to
list bin directories, check the dates and see if they match the dates in
/var/log/secure. Do yum or rpm provide a way to compare installed files
to the packages in fedora repos?

Any other ideas?

Ezequiel Birman

Re: break-in, help needed


Quoted text here. Click to load it

Yes, zero the hard drives and start over, you have no idea
what's been compromised.


Re: break-in, help needed

On Mon, 02 Aug 2010 00:37:38 -0300, Ezequiel Birman wrote:
Quoted text here. Click to load it

How about email passwords. :(

Quoted text here. Click to load it

Yes, clean install on another system, install cracked hard drive in new system,
compare all files on new system with files found on cracked disk.

Quoted text here. Click to load it

Do you think that will find any additional malware installed on the
system, say something like a root kit?

Any good malware would reset dates back to original values.

Quoted text here. Click to load it

First, Unplug your system from the internet, Your machine is a menace to
society and you, until it's cleaned it up.

Here is why you need a FORMAT and clean install when your box IS cracked.
4'th paragraph.

Think about that paragraph.
You cannot use ANY of your pc's utilities to see if your box is cracked
and find what addtional files are installed.

You may want to consider installing something like or tripwire.

Re: break-in, help needed

Quoted text here. Click to load it

Only if you also notice any _added_ files on your "cracked disk".
In typical modern linux distributions there are lots of directories into
which you can add files which will get executed in various ways, so as to
avoid modifying any distribution files so as to escape the standard MD5
tampering detection.

Some examples:
    /etc/cron.d, cron.daily, etc

Obviously, it's less effort to do a wipe and reinstall.

But you probably preserve your home directory.  So you have to look for trojan
horses there too!  In any file you ever execute, which is everything with any
kind of code in it, including all programs but also .bashrc and so on.
And if your text file saying "how to recover from a root compromise" says
"don't worry about it", that is also untrustworthy.

Re: break-in, help needed

On 2 Aug 2010 12:41:28 GMT, Alan J Rosenthal wrote:
Quoted text here. Click to load it

That is why you compare files from cracked disk to new install.

File not found on new install would have to be investigated.

Re: break-in, help needed

Quoted text here. Click to load it

Of course - just fire your host based IDS, be it tripwire, lids,
whatever and get it to compare the current file signatures with the
ones you've got stored offline after you installed the machine.

You didn't use a host based IDS?

You have no signatures database?

Well now you've got something else to add to the list after formatting
your hard-disk and reinstalling from scratch.


Re: break-in, help needed

Quoted text here. Click to load it

If your system uses an rpm based installation scheme, then it has a
signatures database. However, it is possible that it was altered.
rpm -Va>/tmp/verify
and look for a 5 in the third place. Now many files will have changed
(config files for example) Also new files could have been installed-- eg
suid root files (I once had a breakin where they put /tmp/banana as an
suid root file onto the system)
find / -perm /06000 -ls
and check all of those files especially carefully ( forcing reinstall of
those packages if necessary, checking first that your rpm binaries are

NOte if you reinstall and restore your local stuff from backup (/home
for example) You MUST scan those files as well for suid files. It is
little use to reinstall the OS and leave hoge root holes lying in the
restored stuff.

Quoted text here. Click to load it

Site Timeline