Web Hosting Talk






PDA

View Full Version : Hacker and log files

tariehk
12-07-2001, 06:39 PM
Hi,

I am a newbi with a linux box 7.1 and I wanted to know which log files I should be looking at and what type of activity will I see in the log files to know that my system is not being hacked?

Also what other things beside log files should I be looking at to make sure my system looks normal?

Please be very specific.

Thanks for your help!!!

Tariehk
ffeingol
12-07-2001, 07:56 PM
Try looking at logcheck (http://www.psionic.com/abacus/logcheck/). It scans all the basic system logs and e-mails you with "errors".

Frank
davidb
12-08-2001, 02:12 AM
Hi, it is really very hard to be specific on what should be off, if a *acker was in your system. If they are good, or just know a good program, they can cover their tracks via logs pretty easy(hence the use of logcheck which checks every 15 min), the best thing to do is buy a book, I have a few that focus on Linux security, it is called hacking Linux, but some people might have better ones. Also a few to check is:

Check inet to see if anything is running that you A. removed or B never put there, specificly someone adding /bin/sh

Check the passwd file for unknow entries(and make sure you delete users you do not need)

Check for prossess running that you did not start or have not seen before.
JTY
12-08-2001, 02:43 AM
Log check can be a royal pain at first... but, once you get used to what's usual on your system, you can modify the ignore file, so you don't pestered with nonsense messages.

Otherwise, it's a great tool.
bobcares
12-08-2001, 08:14 AM
The problem that comes is that a good hacker doesn't leave much for anyone to find out. He deletes the logs or modifies it such that it looks very normal. Some hack scripts patch up the kernel and add new patched up binaries for standard files like ls, top, ps, finger etc.... This way it is close to impossible to catch them.

However you can always try to do some of these things.
Run who and see who all are logged in.
Study the files in /var/log and see if any unusual activities took place.
See the histry of each users login (e.g. say .bash_hostory if bash is the default shell)
Look for all any changes that may be there in the startup sripts. rc.local, rc and the files in rc.d
look for any changes in inetd.conf
The list just goes on...... :)

Have a great day :)

regards
amar