On Mon, Nov 06, 2000 at 04:43:13PM +0800, Livia Admin wrote:
> ey guys.. pls reply to my real email add cause i'm not in the lists
>
> i think i'm compromised. cause when i do netstat i see a telnet
> connection established to my box for almost 1 hour. i do ps but see
> only 'in.telnetd'. is there any way that i will know what he is
> doing before i'll disconnect him?
Here's a little known trick for a very minimalistic intrusion
detection hack. Debian installs a file called <package>.md5sums in
the directory /var/lib/dpkg/info/. If you move yourself to the root
parition:
bash$ cd /
And run md5sum -c on the package files.
bash$ for i in /var/lib/dpkg/info/*.md5sums ; do \
> md5sum -c $i ; done &> /tmp/check.out
You can pipe the output to an email to see if any of your installed
programs have been tampered with. Tie it in with cron, and you've one
more tool to use...
## Crontab entry for your user...
00 03 * * * cd /; for i in /var/lib/dpkg/info/*.md5sums ; do \
md5sum -c $i ; done
Of course, this is no where near the same usefulness that running
tripwire or aide might give you. If neither of these are installed,
this "trick" may add a little more info to your clue box.
Good luck!
--
Chad "^chewie, gunnarr" Walstrom <chewie@wookimus.net>
http://www.wookimus.net/
Attachment:
pgpmRu_0DKLhr.pgp
Description: PGP signature