Re: How to detect whether your machine is compromised?
On 10/05/2007 01:08 PM, Douglas A. Tutty wrote:
> On Fri, Oct 05, 2007 at 09:49:37PM +0530, Raj Kiran Grandhi wrote:
>> There is an article on slashdot,
>> http://it.slashdot.org/article.pl?sid=07/10/05/1234217&from=rss which
>> says that most of the phishing sites are being run from rootkitted linux
>> boxes. I dunno how accurate their analysis is (the results were not
>> released), however I wonder if there is any way to establish whether a
>> given machine is compromised or not.
>>
>> Are there any tools available that one can run on a regular basis? What
>> measures can we take to ensure that we are somehow alerted if our system
>> gets compromised?
>
> There are some packages in Debian that can help. However, remember that
> they have to be run from a know good box. A rooted box won't tell you
> that its been rooted.
>
> If the article is correct, I wonder what's up with Linux that its being
> rooted.
Apparently many (linux) servers run out-dated software, are poorly
maintained, are poorly secured, or all the above. Linux is attractive
because of its power, as stated in the computerworld article referred to
by slashdot.
For me, this explains all the ssh brute-force attacks. And if you were
to ssh in to an attacker on port 22, you'd see an old ssh version id.
fail2ban works wonders for me for protection.
Regards,
Ralph
Reply to: