The most common system compromises come from "script kiddies" who will
scan the internet looking for machines with specific vulnerabilities. Once
these machines are identified, the script kiddie will exploit the machine
gaining root access to the system. The primary purpose of gaining root access
to systems with these exploits is to use them in a distributed denial of
service attack against specific systems. Therefore, while your system may or
may not be of great importance to the outside world, it can be used as a
participant in a distributed DOS attack which will conceal the attackers
identity leaving you with the liability.
The "script kiddie" can be both a person and a process. The script kiddie
process is a process of finding systems with vulnerabilities and exploiting
them. A script kiddie differs from most hacking processes in that a normal
hack is targeted at a specific system; eg. the Department Of Defense.
One way to tell if your system was probed at random for a specific exploit
is to check your security logs and see what ports were probed. If you were
only hit on a single port, then you probably were scanned at random. If
however, you see that multiple ports were probed multiple times, you may
have been targeted.
A script kiddie will commonly scan a block of IP addresses looking for a
specific exploit, this is rather stealth since the exploit is usually on
a single port and will not look overly suspicious to system administrators
if they see a single failed connection attempt on a single port. Once the
hacker has found a system with the exploit, he will compromise the system
and use it for a more detailed port scanning of IP address blocks, creating
a database that he will use at a later date.
Once a new exploit has been found, the script kiddie will scan the database
for vulnerable machines and then exploit them, often patching the exploit to
keep the system secured from other hackers. At this point, the hacker will
probably have enough compromised systems to begin a distributed attack against
a specific system.
Log Files
All services available through TCP wrappers such as the inetd daemon log
both successful and unsuccessful network connections in the "/var/log/secure"
log file.
TCP Wrapper Log Files:
/etc/syslog.conf
/var/log/secure
/var/log/messages
Other Log Files:
/var/log/maillog
/var/log/httpd/access_log
You can identify which files are modified with an application known as
'tripwire'. You may want to run a statically linked version of tripwire
from a read-only floppy.
Intruder Tactics
Once a hacker has root access to a system, they will usually download a "rootkit"
from an FTP server and use the kit to install trojans and backdoors on your
system, thus allowing him access at any time. The hacker will then deleted the
exploited root account, clear any log files not cleared by the rootkit, logout,
and return at a later time. Most system administrators who do not implement a
solid security system will never know their system has been compromised.
Intruders gain access through buffer overrun programs that will create a
user with UID 0. Then, they will login check who is on the system "% w"
and replace certain binaries with trojans that will hide their presence.
Some automated tools for this presence hiding (known as 'rootkits') do
all of this for the user. One common rootkit is known as '1rk4'.
Often an intruder will make a hidden directory inside a directory most
administrators rarely access. The hidden directory will often be a
directory beginning with a period and ending in a space.
cd /dev
mkdir ". "
cd ". "
The ". " directory is hidden. ls will not show it, ls -la will look like
the local directory. If you trust the integrity of your find command, you
can find it:
% find / -depth -name "*.*"
As the intruder, you may copy the file /dev/null to the /var/run/utmp
and /var/log/utmp while deleting the /var/log/wtmp; you know something
is wrong when these logs contain no data.
% last -10
last: /var/log/wtmp: No such file or directory
Perhaps this file was removed by the operator to prevent logging last info.