1 |
Hi Tom and all, |
2 |
|
3 |
--On Monday, February 02, 2004 11:47 PM +0000 Tom Hosiawa |
4 |
<tomek32@××××××.com> wrote: |
5 |
|
6 |
> The previous message about his apache machine being hacked brings up a |
7 |
> question I have. How does one tell they've been hacked from just looking |
8 |
> at the logs? |
9 |
|
10 |
As a honeynet operator, I see many compromises. The two must common signs |
11 |
of compromise that I've found are: |
12 |
|
13 |
* Outbound SYNs to odd ports or hosts |
14 |
* Unexpected modification of sensitive files, especially programs |
15 |
|
16 |
To detect these signs, I've written simple scripts that scan firewall logs |
17 |
for anomalies in near real time. I also use various host-based intrusion |
18 |
detection systems, such as Tripwire, Samhain, and AIDE. Monit, which |
19 |
monitors a variety of events, can be configured to work as a fairly |
20 |
effective host-based IDS that watches sensitive directories for changes. |
21 |
|
22 |
I don't mean these comments as definitive. They're merely instances of |
23 |
measures that are simple to implement, but often effective. |
24 |
|
25 |
> Which brings me to another question. I've been getting some returned |
26 |
> mails, that I know I didn't send, saying undeliverable mail to such and |
27 |
> such (mostly from aol, hotmail, etc). This one particular returned email |
28 |
> I got on my university account worries me a little more, because it got |
29 |
> returned from another university mail server, saying the possibility the |
30 |
> message contained a virus. How do I make sure this isn't coming from one |
31 |
> of my home computers? |
32 |
|
33 |
MyDoom is responsible for a mountain of such spoofed messages. But, as you |
34 |
suggest, a given message might, or might not, be spoofed. A few SMTP |
35 |
servers that reject malware-laden mail and return a reply to the alleged |
36 |
sender helpfully provide the original message headers. I scan these for IP |
37 |
addresses related to me. Generally, the oldest listed server (furthest down |
38 |
the page) is the server of interest, since it's the point of origin. If |
39 |
your upstream SMTP server strips incoming headers, this analysis will fail. |
40 |
Some wiseguy will eventually write a worm that forges its original server |
41 |
as that of the alleged sender. We can hope that won't happen soon <g>. |
42 |
|
43 |
I hope this helps! |
44 |
|
45 |
--------------------------------------------------- |
46 |
Bill McCarty |
47 |
|
48 |
-- |
49 |
gentoo-security@g.o mailing list |