Re: Security - how to notice compromises.

[Damion Yates <nospam [at] rd.bbc.co.uk>]

On Thu, 24 Feb 2000, Barrie Bremner wrote:

[snip..]

> Still, I was interested when I was speaking to the postmaster at uni a
> while back he mentioned that when he was online from one of his machines
> at home a while back, someone tried to gain access to his system.
> 
> How do folk pick up on attempts at entry to machines?

I find using a 5 meg 386dx40 with noisy harddrive while swapping and 2400
baud modem is ideal, I knew immediately the moment anyone tried to log in and
use my system.  I'm serious too, I've been in this situation and saw a mate
trying to login and compile a fork bomb to piss me off.

More usefully though, check that ls /proc/* |wc -l matches ps waux |wc -l
correctly, they should always be N lines different, where N is worked out
before you go on line ie after a fresh install.  This can alter with a
kernel rebuild under certain circumstances.  Sorry I can't be more accurate
I'm on my Sun at the moment at work.  This will only work on libc.so/ps root
kits and/or older more lame kernel mod root kits.  obviously ps and w and
other command will tell you what is going on if somebody has simply gained a
shell on your box.  This is basic user admin stuff though and won't work on
any hacker who has had more than a few minutes.

Damion

-- 
Damion Yates - Senior Internet Operations Engineer - Internet Services
email: Damion.Yates [at] bbc.co.uk - phone: +44 1737 839510

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.