How do I check to see if this person install or upload a trojan in my server?

Help me quick.

What OS are you running?

What makes you think you have been compromised?

RH 7.1

I got e-mails from administrator saying that I probing their firewall.

First, I would get the log entries from their admin to see what is really happening.

Next I would start looking for suspicious log entries or processes. Depending on the sophistication of compromise, that can be hidden, though.

You might also try doing rpm verification on relevant packages.

A good place for information is www.cert.org .

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Log into the server as root and run,

netstat -a |more

which will give a page by page list of all open network connections.

Then, try running 'top' and look for any odd processes.

Unfortunately, modified versions of netstat, ps, and others are typically replaced by root kits. That is why it is a good idea to keep hidden copies of network tools somewhere on your system, or offsite.

What sort of odd stuff should I look for?

Look for any files that don't belong... but, as was previously pointed out, if a rootkit was put in, then it will cover up what's going on.

One thing to check that happend to me was inet, check for any entries that look misplaces, like sh linked in there.

You can type

ldd path to service

example:

ldd /bin/netstat

ldd /bin/netstat
/lib/libsafe.so.1.3 => /lib/libsafe.so.1.3 (0x40013000)
/lib/libNoVersion.so.1 => /lib/libNoVersion.so.1 (0x40019000)
libc.so.6 => /lib/libc.so.6 (0x4001e000)
libdl.so.2 => /lib/libdl.so.2 (0x40111000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

Trojan version

ldd /bin/netstat
/lib/libsafe.so.1.3 => /lib/libsafe.so.1.3 (0x40013000)
/lib/libNoVersion.so.1 => /lib/libNoVersion.so.1 (0x40019000)
libc.so.5 => /lib/libc.so.5 (0x4001e000)
libdl.so.2 => /lib/libdl.so.2 (0x40111000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)


most root kits have been compiled on older libs, so look closely and see if the services are legit.

most common it`s are

ls
w
netstat
login
who

so you need to realize that even looking around is not real.

Try using:

rpm -Va > log.txt

then come back an hour later, it takes a litltle while to run but it will tell you if the files are normal, :)

If you have user's on the server, that might explain the probing. Of course, that's not to say you weren't rooted and used as a jump-pad to another server to root and so on (that's usually the case).

Change your passwords.

Replace these files with known secure versions (as the one's you now have are likely trojans):

w
ps
top
netstat
login
su
ls
dd
df
du
lsof
grep
finger
sh (or bash -- sam thing)
file

These are located in the dorectories /bin, /usr/bin and /usr/sbin.

Check for any crontab entries for root or another user with higher access in /var/spool/cron/userhere and /etc/crontab. Also check permissions on them, make sure they arne't world writeable. Check permissions around the server on any relevant files.

Change your passwords again, after you replace these files mentioned above.

Check dmesg and ifconfig to see if your NIC (network card) is running in promiscuous mode (which means there's a network sniffer installed and likely logging all your passwords and commands you type).

Check (once the tools are replaced) for any services running that shouldn't be with ps, top, netstat, lsof and other tools (once you are certain they are clean tools).

Check for anything unusual in your rc/init files -- and check the permissions of them again as well. Check your inet files (Sorry, I was thinking of RH 6.x for a moment, but check /etc/inetd.conf -- if it's there for anything unusual).

Check the dates on any important files/tools to see if they've been changed.

Change your passwords again after making those changes -- this is to ensure that you change it immediately, but that you still might be logged or a victim of a trojan and your new passwords could be changed -- and use SSH, never telnet for these steps.

Speaking of SSH, that program is likely torjaned as well -- remove or back up the current programs relevant and replace with with fresh installs from source, or even rpm's. If you have backup, trusted copies on a secure media, restore from that. If you don't -- do that from now on.

Check the logging tools, and entries in /etc/sysylog.conf and other relevant files for anything that might be rotating or deleting the logs or not logging at all.

See if there's anything in /var/log and save the files if they aren't gone (they are likely tampered with anyway, but still).

Finally, check the system/user files, and look for anything in /etc/passwd that has any user but the correct users as having low user or group ID's. I.e., many rootkits install a user with an odd name and that user will have the user or group of 0 (zero) I.e., luser:0:0:/whatever here/:/bin/bash.

Check and backup all the history/bash_history files. Do the same with your web server log files -- you never know what people leave and most are just script kiddies using scripts/tools that they don't know how or why they work, but just use them to crack into servers (and often leave a lot of logs behind or ways to track them, even with the usual stuff altered and deleted).

Implement some better logging and altering and capture w, ps and last and who every 5 or 10 minutes as well, for the future. Check into firewalls (smart rules), and implement some MD5 file checksums.

Finally, check for any new files that have been updated in the last hour (so you can find where things are logged if there's a trojan installed that's grabbing your passwords and commands.) Do the same for the last day and then the last so-many days, you could have been rooted long ago, you don't know.

These will be some tell-tale signs of a rooting, even if they try and cover their tracks or hide the fact they've been there, it's usually not too difficult to discover those facts. There's more to this and new you can do and check, etc., but that's a start to confirm if anything's been altered or whatnot. All in all, if those are the cases, you will be better off not trying to do too much cleaning and just back up the data (not the system binary's tools) and reinstalling completely fresh and restoring the harmless data back onto it. There's really too much to discuss here or give advice about, as this would require a few books worth -- literally. Anyway, good luck, I hope this was of some help.

Tim of course covered many of the major points of it, but I would also suggest that you make sure your using the most up to date kernel 2.4.12, as I remember, the latest local root hole could be the problem......

Now it's threads like this that make coming here worth while. If I had gotten hacked, I would never have thought to look at half the stuff you guys mentioned. Keep up the good work

Here is a helpful little utility that can check for many rootkits.
http://www.chkrootkit.org/

Thanks for all your advice. I'll look into each and everyone.