I wonder

[Glennzo]

Hello all. I wonder if anyone could tell me how I would know if I've been hacked or compromised. I have no reason to believe that this has happened, but I know very little about computer security, therefore I wouldn't know if anything is going on 'behind the scenes'. Are there tools available that will tell me if there is a problem? What steps should I take to prevent such an occurance? I am running Mandrake 10 on a small home network. My linux box connects to the internet through a Netgear RP114 router. I don't think that there is any software firewall running. The ip address from Comcast is dynamic, but I can't say how often it actually changes. Also, what log files do I need to be reading? Are they easy to interpet?

 

Thanks in advance.

 

Glenn

[johanl]

Well, I've got some advice for you. First of all, it would be best if you install (if it hasn't already been installed yet) (Webmin.

You can then configure your server using a webbrowser. Go to https://server's ip address:10000 and the Webmin page should come up asking you to login as root. With webmin you can easily check all the logs files (you can find them on the System tab), and log files could tell you more about a possible hack attempt.

 

Also, most routers have a built in firewall, my Zyxel has one and it actually works pretty good.

[papaschtroumpf]

I run a script called logwatch daily from a cron job (www.logwatch.org ) it parses logs on my system and tells me of any suspiscious acitivity through email. you can set it to be pretty verbose or terse depending on what you want. This script alerted me to scripts trying to log into my SSH port starting in late July for example.

I will also show failed log in attempts and tha kind of things.

 

You can run a firewall on your linux machine, but you should be in good shape just because ofthe fact that your router does NAT which makes network attacks more difficult. The Netgear RP114 doesn't have a built in firewall though. Overall I'd say you're pretty safe, especially if you have not enabled a bunch of ports for forwarding in your firewall (if you don't know what I'm talking about, you're probably safe).

 

 

If you suspect you were hacked, you can always urpmi chkrootkit (see www.chkrootkit.org for more info) and run it, it'll tell you if it looks like a rootkit was installed.

I alwyas remove it when I'm done and re-install it before a check (from a local copy) so that I'm sure it's not been compromised itself.

Edited September 1, 2004 by papaschtroumpf

[bvc]

as papaschtroumpf suggest, install chkrootkit. You can

tail -f /var/log/messages

look at the logs, they'll tell ya. Shorewall has been going crazy on me and someone sure is trying but , root can kill root ;)