Check if linux box has been hijacked

Hello EE.   I have a linux box with fedora 5 - iptables , squid and samba setup.  This box does routing for a network comprising 15 computers.  How can I check to see if someone has hijacked the linux box and is using to download or store malicious data.  I just want to rule this out as I look at other problems on the network.

LVL 2
aduhwaleAsked:
Who is Participating?
 
BlazCommented:
About using iptraf:
the best way is to select LAN station monitor and then select the interface of your internal network.
Then you have InRate and OutRate in kbits per second for each LAN station in your ethernet segment - you can see MAC address of the stations.

If some station is causing a suspicious ammount of traffic figure out what computer that is. Every IP scanner will output the MAC addresses of your local network with their machine names and IPs. Inspect that computer why it is causing so much traffic.

In IP traffic monitor you can see what the client and server IPs and ports of the TCP sessions so that can give you more idea what kind of traffic there is (server port number for example). You can limit the output to a single IP or single port etc in Filters option.
0
 
paradoxengineCommented:
You mean that you want to check if the box has been hacked, actually. Computer forensic is a difficult discipline, and it's not easy to explain it as a whole. Good starting points are forensic oriented live distribution (like Helix, but there are many others).
Some very simple (and utterly uneffective in practice) ispection techniques are checking bash_history logs, last log and running chkrootkit and rkhunter.
0
 
aduhwaleAuthor Commented:
Hi.  Thanks for your response.  Here is my situation.  Said linux box manages the internet connection for the lan.  over the last few days, the isp download limit being exceeded by large amounts and I am trying to establish which pc is downloading so much.  I have check almost all the windows clients then it occurred to me that the linux box could have been hijacked and could be the culprit.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
BlazCommented:
In Fedora quite a goot test is to check the signatures of RPM packets compared to RPM database.
Important packages that are usually first hacked are procps and net-tools, so run:
rpm -V procps
rpm -V net-tools

this two commands should return nothing if the packages have the correct signature. If some difference is returned you have been hacked.
0
 
BlazCommented:
After checking the above packages you should install iptraf package. With it you can monitor the current network traffic and see the network trasfer rates for each machine.
0
 
paradoxengineCommented:
I agree with Blaz. Go for iptraf and watch what's going on. About the signatures: it's not a very trustable test, since if you've been hacked it's likely that an aggressor would have installed ihs version of rpm, but try it anyway.
Another (easier) way to go is to use the ntop package.
0
 
aduhwaleAuthor Commented:
Hi all.   i have followed your advice and now monitoring the results of iptraf.  What is ntop btw?  in the meantime will monitor and let you know what I find.
0
 
BlazCommented:
I disagree with paradoxengine - I have seen hacked machines that behave like I described - hacked programs but intact signature database. So the rpm -V command did output results.

If you have been hacked (and hacked good) then iptraf will not show you the correct network traffic.
0
 
aduhwaleAuthor Commented:
Hi RPM -V produced no results.  I took that to mean I wasnt hacked :-)  i then wanted to see if i could make out which machine is causing all the traffic. looks like I need quite a bit more help than i thought so i'm increasing the points on offer.
0
 
paradoxengineCommented:
If you really want to have an idea what's going on, I strongly advice you to move outside that linux box. IF it has been hacked (yes Blaz, you're right a rootkit will prevent iptraf from behaving normally, but still I would not trust rpm for a second, I own at least 5 different rootkited versions of it) you are not going to have any result.
Connect to the mirror port of the main switch (I'm assuming you only have one switch, otherwise repeat the process ad libitum) or use an hub for a "man in the middle"-style traffic monitoring. Then use iptraf or ntop on a new machine connected to the mirrorport or the hub, and you will have a foolproof result. If you are going to trust the server (you should not) then Blaz's advice is ok.
0
 
aduhwaleAuthor Commented:
Thanks all or you help.  I have split the points and assigned the bigger share to blaz because his comments ultimately helped me find the machine with all the traffic.  via iptraf.  Paradoxengine, your comments of course helped open my eyes to a wider security issue.  Thank you both!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.