Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

Check if linux box has been hijacked

Hello EE.   I have a linux box with fedora 5 - iptables , squid and samba setup.  This box does routing for a network comprising 15 computers.  How can I check to see if someone has hijacked the linux box and is using to download or store malicious data.  I just want to rule this out as I look at other problems on the network.

0
aduhwale
Asked:
aduhwale
  • 4
  • 4
  • 3
2 Solutions
 
paradoxengineCommented:
You mean that you want to check if the box has been hacked, actually. Computer forensic is a difficult discipline, and it's not easy to explain it as a whole. Good starting points are forensic oriented live distribution (like Helix, but there are many others).
Some very simple (and utterly uneffective in practice) ispection techniques are checking bash_history logs, last log and running chkrootkit and rkhunter.
0
 
aduhwaleAuthor Commented:
Hi.  Thanks for your response.  Here is my situation.  Said linux box manages the internet connection for the lan.  over the last few days, the isp download limit being exceeded by large amounts and I am trying to establish which pc is downloading so much.  I have check almost all the windows clients then it occurred to me that the linux box could have been hijacked and could be the culprit.
0
 
BlazCommented:
In Fedora quite a goot test is to check the signatures of RPM packets compared to RPM database.
Important packages that are usually first hacked are procps and net-tools, so run:
rpm -V procps
rpm -V net-tools

this two commands should return nothing if the packages have the correct signature. If some difference is returned you have been hacked.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
BlazCommented:
After checking the above packages you should install iptraf package. With it you can monitor the current network traffic and see the network trasfer rates for each machine.
0
 
paradoxengineCommented:
I agree with Blaz. Go for iptraf and watch what's going on. About the signatures: it's not a very trustable test, since if you've been hacked it's likely that an aggressor would have installed ihs version of rpm, but try it anyway.
Another (easier) way to go is to use the ntop package.
0
 
aduhwaleAuthor Commented:
Hi all.   i have followed your advice and now monitoring the results of iptraf.  What is ntop btw?  in the meantime will monitor and let you know what I find.
0
 
BlazCommented:
I disagree with paradoxengine - I have seen hacked machines that behave like I described - hacked programs but intact signature database. So the rpm -V command did output results.

If you have been hacked (and hacked good) then iptraf will not show you the correct network traffic.
0
 
aduhwaleAuthor Commented:
Hi RPM -V produced no results.  I took that to mean I wasnt hacked :-)  i then wanted to see if i could make out which machine is causing all the traffic. looks like I need quite a bit more help than i thought so i'm increasing the points on offer.
0
 
BlazCommented:
About using iptraf:
the best way is to select LAN station monitor and then select the interface of your internal network.
Then you have InRate and OutRate in kbits per second for each LAN station in your ethernet segment - you can see MAC address of the stations.

If some station is causing a suspicious ammount of traffic figure out what computer that is. Every IP scanner will output the MAC addresses of your local network with their machine names and IPs. Inspect that computer why it is causing so much traffic.

In IP traffic monitor you can see what the client and server IPs and ports of the TCP sessions so that can give you more idea what kind of traffic there is (server port number for example). You can limit the output to a single IP or single port etc in Filters option.
0
 
paradoxengineCommented:
If you really want to have an idea what's going on, I strongly advice you to move outside that linux box. IF it has been hacked (yes Blaz, you're right a rootkit will prevent iptraf from behaving normally, but still I would not trust rpm for a second, I own at least 5 different rootkited versions of it) you are not going to have any result.
Connect to the mirror port of the main switch (I'm assuming you only have one switch, otherwise repeat the process ad libitum) or use an hub for a "man in the middle"-style traffic monitoring. Then use iptraf or ntop on a new machine connected to the mirrorport or the hub, and you will have a foolproof result. If you are going to trust the server (you should not) then Blaz's advice is ok.
0
 
aduhwaleAuthor Commented:
Thanks all or you help.  I have split the points and assigned the bigger share to blaz because his comments ultimately helped me find the machine with all the traffic.  via iptraf.  Paradoxengine, your comments of course helped open my eyes to a wider security issue.  Thank you both!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now