Gentoo Archives: gentoo-security

From: Bill McCarty <bmccarty@××××××.net>
To: Tom Hosiawa <tomek32@××××××.com>, gentoo-security <gentoo-security@l.g.o>
Subject: Re: [gentoo-security] my security faqs?
Date: Tue, 03 Feb 2004 05:30:49
Message-Id: 12633596.1075757109@[]
In Reply to: [gentoo-security] my security faqs? by Tom Hosiawa
1 Hi Tom and all,
3 --On Monday, February 02, 2004 11:47 PM +0000 Tom Hosiawa
4 <tomek32@××××××.com> wrote:
6 > The previous message about his apache machine being hacked brings up a
7 > question I have. How does one tell they've been hacked from just looking
8 > at the logs?
10 As a honeynet operator, I see many compromises. The two must common signs
11 of compromise that I've found are:
13 * Outbound SYNs to odd ports or hosts
14 * Unexpected modification of sensitive files, especially programs
16 To detect these signs, I've written simple scripts that scan firewall logs
17 for anomalies in near real time. I also use various host-based intrusion
18 detection systems, such as Tripwire, Samhain, and AIDE. Monit, which
19 monitors a variety of events, can be configured to work as a fairly
20 effective host-based IDS that watches sensitive directories for changes.
22 I don't mean these comments as definitive. They're merely instances of
23 measures that are simple to implement, but often effective.
25 > Which brings me to another question. I've been getting some returned
26 > mails, that I know I didn't send, saying undeliverable mail to such and
27 > such (mostly from aol, hotmail, etc). This one particular returned email
28 > I got on my university account worries me a little more, because it got
29 > returned from another university mail server, saying the possibility the
30 > message contained a virus. How do I make sure this isn't coming from one
31 > of my home computers?
33 MyDoom is responsible for a mountain of such spoofed messages. But, as you
34 suggest, a given message might, or might not, be spoofed. A few SMTP
35 servers that reject malware-laden mail and return a reply to the alleged
36 sender helpfully provide the original message headers. I scan these for IP
37 addresses related to me. Generally, the oldest listed server (furthest down
38 the page) is the server of interest, since it's the point of origin. If
39 your upstream SMTP server strips incoming headers, this analysis will fail.
40 Some wiseguy will eventually write a worm that forges its original server
41 as that of the alleged sender. We can hope that won't happen soon <g>.
43 I hope this helps!
45 ---------------------------------------------------
46 Bill McCarty
48 --
49 gentoo-security@g.o mailing list