Gentoo Archives: gentoo-security

From: Bill McCarty <bmccarty@××××××.net>
To: Tom Hosiawa <tomek32@××××××.com>, gentoo-security <gentoo-security@l.g.o>
Subject: Re: [gentoo-security] my security faqs?
Date: Tue, 03 Feb 2004 05:30:49
Message-Id: 12633596.1075757109@[]
In Reply to: [gentoo-security] my security faqs? by Tom Hosiawa
Hi Tom and all,

--On Monday, February 02, 2004 11:47 PM +0000 Tom Hosiawa 
<tomek32@××××××.com> wrote:

> The previous message about his apache machine being hacked brings up a > question I have. How does one tell they've been hacked from just looking > at the logs?
As a honeynet operator, I see many compromises. The two must common signs of compromise that I've found are: * Outbound SYNs to odd ports or hosts * Unexpected modification of sensitive files, especially programs To detect these signs, I've written simple scripts that scan firewall logs for anomalies in near real time. I also use various host-based intrusion detection systems, such as Tripwire, Samhain, and AIDE. Monit, which monitors a variety of events, can be configured to work as a fairly effective host-based IDS that watches sensitive directories for changes. I don't mean these comments as definitive. They're merely instances of measures that are simple to implement, but often effective.
> Which brings me to another question. I've been getting some returned > mails, that I know I didn't send, saying undeliverable mail to such and > such (mostly from aol, hotmail, etc). This one particular returned email > I got on my university account worries me a little more, because it got > returned from another university mail server, saying the possibility the > message contained a virus. How do I make sure this isn't coming from one > of my home computers?
MyDoom is responsible for a mountain of such spoofed messages. But, as you suggest, a given message might, or might not, be spoofed. A few SMTP servers that reject malware-laden mail and return a reply to the alleged sender helpfully provide the original message headers. I scan these for IP addresses related to me. Generally, the oldest listed server (furthest down the page) is the server of interest, since it's the point of origin. If your upstream SMTP server strips incoming headers, this analysis will fail. Some wiseguy will eventually write a worm that forges its original server as that of the alleged sender. We can hope that won't happen soon <g>. I hope this helps! --------------------------------------------------- Bill McCarty -- gentoo-security@g.o mailing list