How do I tell I was hacked?

richard childers / kg6hac fscked at pacbell.net
Sat Jun 12 14:08:10 GMT 2004 

>
>
>Date: Sat, 12 Jun 2004 13:15:33 +0200
>From: "Peter Rosa" <prosa at pro.sk>
>Subject: Hacked or not ?
>To: "FreeBSD Security" <freebsd-security at freebsd.org>
>Message-ID: <016301c4506e$947644e0$3501a8c0 at pro.sk>
>
>Hi all,
>
>please advice me - I was on holidays for one week. After return I found in
>security mails from router (chkrootkit) following message:
>Checking `lkm'... You have     1 process hidden for readdir command
>You have     1 process hidden for ps command
>Warning: Possible LKM Trojan installed
>
>It apeared only onece. From previous and next days reports, the message is
>not present.
>
>How could I be sure, the machine is not hacked ?
>  
>

[1]   Make backups. tar(1), dump(8), doesn't matter.
[2]   Reinstall identical operating system on new equipment.
[3]   Restore backups into large partition sized for this operation 
(call it '/backups').
[4]   Compare the contents of each directory in /backups recursively 
against a known
        good copy, For example, to compare /usr against the backed-up 
image, do this:

    # diff -r /usr /backups/usr

[5]   Review the list for files which differ or which do not exist on 
the known good copy.
[6]   Exclude files for which there are good reasons for difference (IE, 
logs and state files).
[7]   Analyze the resulting files; pay particular attention to 
executables, but also libraries.

You may also find it useful to reload the old operating system onto a 
box on an insulated network and monitor the operating system, its 
processes and its network traffic, using known good tools.


Regards,

-- richard

-- 

Richard Childers / Senior Engineer
Daemonized Networking Services
945 Taraval Street, #105
San Francisco, CA 94116 USA
[011.]1.415.759.5571
http://www.daemonized.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (FreeBSD)

mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC
Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G
FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y
RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9
tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q
UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T
co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q
8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa
aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB
IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u
ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW
TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/
q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ
i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7
uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W
Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E
dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH
5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip
1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU
M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ
nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr
anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP
QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM
yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj
F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6
=ZaJO
-----END PGP PUBLIC KEY BLOCK-----

More information about the freebsd-security mailing list