Security Incidents mailing list archives

Re: SSH Attempts: Link to RedHat?

From: Dave Dittrich <dittrich () cac washington edu>
Date: Tue, 18 Dec 2001 14:31:17 -0800 (PST)

Besides checking the standard /var/log/messages log, are there any
suggestions as to where I should check for possible breaches
in this individual's system?


i'd check the integrity of the installed rpms:

      [jon@devotchka jon]$ for i in `rpm -qa`; do rpm -V $i; done


I wouldn't trust the RPM database on the system to tell you the truth,
as it could be modified easily just like the original programs.
Better to check against the original CD-ROM and/or a trusted archive.
I have the basics of how to do this in:

        http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

i'd also look for recent additions in /dev (which seems to be the
directory of choice for rootkits):

      [jon@devotchka /dev]$ ls -tla|more


Being the "directory of choice" means its best to chose another
directory, so someone suggesting "/dev is the place to look" will be
fooled.  I've seen UUCP spool directories, catman directories,
termcap directories, /var/log directories... The best place to hide
something is where you don't expect someone to look for it.  See
also:

        http://project.honeynet.org/challenge/results/

...outdated software run by an inexperienced admin. not a particularly hard
target from a script kiddie pov. then again, maybe you'll find the
fabled openssh2 remote exploit...


If you do, send it my way. ;)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

SSH Attempts: Link to RedHat? Gregg Sperling (Dec 17)
- Re: SSH Attempts: Link to RedHat? John Oliver (Dec 18)
- Re: SSH Attempts: Link to RedHat? jon schatz (Dec 18)
  - Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
    - Re: SSH Attempts: Link to RedHat? Holger van Lengerich (paderLinx GmbH) (Dec 19)
- Re: SSH Attempts: Link to RedHat? Rodrigo Barbosa (Dec 19)
- <Possible follow-ups>
- RE: SSH Attempts: Link to RedHat? Montz, James C. (James Tower) (Dec 18)