Monday, December 11, 2006

How to detect an Intruder???

I think these steps is suitable for you as system administrator to look for several types of break-ins into your system or network if your system has been compromised. I also encourage you to check with your vendors everyday for any new updates or patches that relate to your systems. Firstly, you should look for signs that your system may have been compromised.
  • Check your log files for any external locations , other unknown locations or other unusual activity.
    • E.g: Check your last login, logs created by syslog, process accounting and other security logs
    • Use netstat -natup to check for illegal connection
  • Look for setuid or setgid files especially setuid root files in your systems. Intruders often leave setuid in /bin/bash or /bin/time.
    • E.g: find / -user root -perm -4000 -print
      • or find / -group kmem -perm -2000 -print
  • Check your binaries system to make sure that they haven't been altered such as login, su, telnet, netstat, ifconfig, ls, find, du, df, and other binaries. Use can use rootkit detector such as chkrootkit tool.
  • Check your systems for unauthorized use of a network monitoring program or packet sniffer. Maybe intruders may use a sniffer to capture your username and password info.
  • Examine all the files that are run by 'cron'. Normally intruders leave backdoors in this file to let he back on the system. Verify all files /programs by cron jobs.
  • Check for unauthorized services. Check /etc/inetd.conf file for unauthorized changes. Also check the legitimate services that you have commented in that file.
  • Examine the /etc/passwd file on the system and check for any modifications to it. Look for unauthorized creation of new accounts, accounts with no passwords, or UID changes to existing accounts.
  • Check your system and network configuration files for unauthorized entries. Look for additional entries or inappropriate non-local host names in /etc/hosts, /etc/hosts.allow or /etc/hosts.deny.
  • Look for unusual or hidden files as these can be used to hide tools and information. Examine "..." or ".." or ".xx" file. Maybe this is hidden files hide by attacker.
  • Check all PC's or servers on your network for signs of intrusion.
This steps maybe will help to to trace and analyze attacker in your system. I think you can read more about how to detect hacker or attacker in Google.
Enjoy it!!