«
»

Linux detection

August 12, 2003 - 4:42 pm 1 Comment

Geektalk alert!

Kenn asked if there was a way to patch against the hacks we’ve gotten. From the reading I did, nobody’s sure how the remote shell trojan gets onto the box. Some have speculated that it’s an ssh exploit. In our case, the mud binary was probably infected, and it got run. I don’t think there’s a patch against the trojan in particular, but here are my tips (I am not a linux guru by a long shot, keep that in mind!)

– Be careful of any binary you run. Make sure they come from trusted and clean sources.
– Do not run as root anything that you don’t need to. Log in as a regular user and sudo stuff if you need to.
– Keep a close eye on your /tmp directory. That’s where I found the installed hacks.
– Also keep a close eye on your logs, all of them.
– Also watch your lastlog. One of the mud people noticed that we had a user named “test” who logged on from AOL. He didn’t belong
– Check ‘netstat -l’ to see what ports are listening. Make sure there’s nothing listening that shouldn’t be.
– Download and run lsof. It’s a nifty program that tells you what processes are running, what ports they’re listening to, where the program is located, and what user started it.
– Try doing ‘find / -name “.*” -ls’. This command will search your computer for files that start with a dot, which don’t show up on a normal ls. It will come up with a ton of files, but just check to make sure there’s nothing that looks funny. I kept finding directories called ‘…’
– ‘ls -lat’ in your directories, especially /bin and /sbin, and make sure nothing has been modified recently.
– Take steps to harden your system, such as different partitions, noexec, denying users outside of the US (for example), and not running daemons that you don’t actually use.
– And of course make sure all your packages and your kernel are up to date.

There are tons of websites out there on linux security holes, as well as hardening your box. Glean information from them, and hit up your linuxgeek friends for tips. Just smile and nod when they tell you there’s no such thing as a linux virus.

No related posts.

Posted General |

One Response to “Linux detection”

  1. Carrie Anne Says:
    August 12th, 2003 at 8:19 pm

    (Read in the Butthead voice) heh heh she said “harden” and “box”….