An Interesting read for Linux server admins:

praka123 · Aug 27, 2007

It is very rare that your Linux PC which you use as a Desktop will get compromised especially if you do not run any services like a web server, mail server and so on. More over many modern Linux distributions like for example Ubuntu, targeted at the end user ship with all the ports closed by default. And others like PCLinuxOS bundles with it a robust firewall. So it makes the job of an intruder all the more harder to crack into your machine.

But suppose after all the precautions you take, some resourceful cracker succeeds in finding a loophole and hacks into your machine, how do you detect that your machine has been compromised in the first place?

Lars has written a step-by-step process by which he ascertains that a Linux server run by his friend has been compromised by an intruder. His findings throw light on what you can expect and the steps to take when you are suspicious of getting your machine rooted.

The server was running a fairly updated Ubuntu 6.06 LTS. He goes on to conclude that the compromise could have been caused by :

An exploit unknown to the public.
A user accessing this server from an already compromised host. The attacker could then sniff the the password.

Read this very interesting article which throws some light on the actions of a hacker.

source:
*linuxhelp.blogspot.com/2007/08/how-to-find-out-if-your-linux-machine.html

article :read here:
*blog.gnist.org/article.php?story=HollidayCracking

kalpik · Aug 27, 2007

A VERY interesting read! Thanks for the link! Ill keep an eye on my servers

praka123 · Aug 27, 2007

btwn dont have servers-but i got rkhunter installed which hopefully detects spreading ones.

Yamaraj · Aug 27, 2007

There is a reason why Fedora/Red Hat/CentOS ship with SELinux and SUSE with AppArmor. It's high time Ubuntu started doing the same.

infra_red_dude · Aug 27, 2007

i agree yamraj, i think ubuntu and related distros should include se linux or come up wid something of their own. its high time now....

thanks for the article, prakash

it sure is thot provoking. ubuntu users should be wary of this....

praka123 · Aug 27, 2007

Maybe Debian too shud be counted.but there is always the SE linux option in Debian & ubuntu(via apt).yeah it needs to be integrated.
though i am confused with PAM(pluggable authentication module)

mehulved · Aug 28, 2007

praka123 said:
btwn dont have servers-but i got rkhunter installed which hopefully detects spreading ones.

I doubt it will be too useful. A good hacker/cracker will try to modify all such tools to hide their tracks. So, a better idea is to check for rootkits from a live cd. But, how useful that is, I am not so sure. From what I've read it's not that promising.

Gigacore · Aug 28, 2007

nice post. thanks buddy

kalpik · Aug 28, 2007

infra_red_dude said:
i agree yamraj, i think ubuntu and related distros should include se linux or come up wid something of their own. its high time now....

thanks for the article, prakash it sure is thot provoking. ubuntu users should be wary of this....

Yeah.. The next version of Ubuntu (Gutsy Gibbon) would include AppArmour by default

An Interesting read for Linux server admins:

praka123

left this forum longback

kalpik

In Pursuit of "Happyness"

praka123

left this forum longback

Yamaraj

The Lord of Death

infra_red_dude

Wire muncher!

praka123

left this forum longback

mehulved

18 Till I Die............

Gigacore

Dreamweaver

kalpik

In Pursuit of "Happyness"