| 1 |
Hi Tom and all, |
| 2 |
|
| 3 |
--On Monday, February 02, 2004 11:47 PM +0000 Tom Hosiawa |
| 4 |
<tomek32@××××××.com> wrote: |
| 5 |
|
| 6 |
> The previous message about his apache machine being hacked brings up a |
| 7 |
> question I have. How does one tell they've been hacked from just looking |
| 8 |
> at the logs? |
| 9 |
|
| 10 |
As a honeynet operator, I see many compromises. The two must common signs |
| 11 |
of compromise that I've found are: |
| 12 |
|
| 13 |
* Outbound SYNs to odd ports or hosts |
| 14 |
* Unexpected modification of sensitive files, especially programs |
| 15 |
|
| 16 |
To detect these signs, I've written simple scripts that scan firewall logs |
| 17 |
for anomalies in near real time. I also use various host-based intrusion |
| 18 |
detection systems, such as Tripwire, Samhain, and AIDE. Monit, which |
| 19 |
monitors a variety of events, can be configured to work as a fairly |
| 20 |
effective host-based IDS that watches sensitive directories for changes. |
| 21 |
|
| 22 |
I don't mean these comments as definitive. They're merely instances of |
| 23 |
measures that are simple to implement, but often effective. |
| 24 |
|
| 25 |
> Which brings me to another question. I've been getting some returned |
| 26 |
> mails, that I know I didn't send, saying undeliverable mail to such and |
| 27 |
> such (mostly from aol, hotmail, etc). This one particular returned email |
| 28 |
> I got on my university account worries me a little more, because it got |
| 29 |
> returned from another university mail server, saying the possibility the |
| 30 |
> message contained a virus. How do I make sure this isn't coming from one |
| 31 |
> of my home computers? |
| 32 |
|
| 33 |
MyDoom is responsible for a mountain of such spoofed messages. But, as you |
| 34 |
suggest, a given message might, or might not, be spoofed. A few SMTP |
| 35 |
servers that reject malware-laden mail and return a reply to the alleged |
| 36 |
sender helpfully provide the original message headers. I scan these for IP |
| 37 |
addresses related to me. Generally, the oldest listed server (furthest down |
| 38 |
the page) is the server of interest, since it's the point of origin. If |
| 39 |
your upstream SMTP server strips incoming headers, this analysis will fail. |
| 40 |
Some wiseguy will eventually write a worm that forges its original server |
| 41 |
as that of the alleged sender. We can hope that won't happen soon <g>. |
| 42 |
|
| 43 |
I hope this helps! |
| 44 |
|
| 45 |
--------------------------------------------------- |
| 46 |
Bill McCarty |
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-security@g.o mailing list |
Archives