Hi Tom and all,
--On Monday, February 02, 2004 11:47 PM +0000 Tom Hosiawa
> The previous message about his apache machine being hacked brings up a
> question I have. How does one tell they've been hacked from just looking
> at the logs?
As a honeynet operator, I see many compromises. The two must common signs
of compromise that I've found are:
* Outbound SYNs to odd ports or hosts
* Unexpected modification of sensitive files, especially programs
To detect these signs, I've written simple scripts that scan firewall logs
for anomalies in near real time. I also use various host-based intrusion
detection systems, such as Tripwire, Samhain, and AIDE. Monit, which
monitors a variety of events, can be configured to work as a fairly
effective host-based IDS that watches sensitive directories for changes.
I don't mean these comments as definitive. They're merely instances of
measures that are simple to implement, but often effective.
> Which brings me to another question. I've been getting some returned
> mails, that I know I didn't send, saying undeliverable mail to such and
> such (mostly from aol, hotmail, etc). This one particular returned email
> I got on my university account worries me a little more, because it got
> returned from another university mail server, saying the possibility the
> message contained a virus. How do I make sure this isn't coming from one
> of my home computers?
MyDoom is responsible for a mountain of such spoofed messages. But, as you
suggest, a given message might, or might not, be spoofed. A few SMTP
servers that reject malware-laden mail and return a reply to the alleged
sender helpfully provide the original message headers. I scan these for IP
addresses related to me. Generally, the oldest listed server (furthest down
the page) is the server of interest, since it's the point of origin. If
your upstream SMTP server strips incoming headers, this analysis will fail.
Some wiseguy will eventually write a worm that forges its original server
as that of the alleged sender. We can hope that won't happen soon <g>.
I hope this helps!
firstname.lastname@example.org mailing list