Re: [CentOS] How to tell if I've been hacked?

Also processes you thinkk you DO recognize: Just for testing how alert my co-workers were, i had a program called kswapd, just calculating prime-numbers... They never noticed. ;-) Without any preperation it's harder. No point in installing tripwire, activating apparmor/selinux afterwards.

Re: [CentOS] How to tell if I've been hacked?

On Sat, Aug 22, 2009 at 6:07 PM, Bill Campbellcen...@celestial.com wrote: On Sat, Aug 22, 2009, Dave wrote: On Sat, Aug 22, 2009 at 6:49 AM, Bill Campbellcen...@celestial.com wrote: I review daily reports from over 50 systems every morning, checking changes found, usually taking no more than 10

Re: [CentOS] How to tell if I've been hacked?

On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrl...@gmail.com wrote: There is a lot of talk about the vulnerable Linux kernel.   I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? This is an interesting and frustrating

Re: [CentOS] How to tell if I've been hacked?

On Fri, Aug 21, 2009, Dave wrote: On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrl...@gmail.com wrote: ... stuff deleted On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbellcen...@celestial.com wrote: To really know whether a system has been hacked, it's necessary to use something like Tripwire

Re: [CentOS] How to tell if I've been hacked?

On 08/19/2009 02:53 AM, Scott Ehrlich wrote: There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? there have been some really good ideas that came through this

Re: [CentOS] How to tell if I've been hacked?

On Sat, Aug 22, 2009, Dave wrote: On Sat, Aug 22, 2009 at 6:49 AM, Bill Campbellcen...@celestial.com wrote: I review daily reports from over 50 systems every morning, checking changes found, usually taking no more than 10 minutes a day.  The key is to keep the reports simple, and to make

Re: [CentOS] How to tell if I've been hacked?

On Sat, Aug 22, 2009 at 10:49 AM, Bill Campbell cen...@celestial.com wrote: On Fri, Aug 21, 2009, Dave wrote: On Tue, Aug 18, 2009 at 3:53 PM, Scott Ehrlichsrehrl...@gmail.com wrote: ... stuff deleted On Tue, Aug 18, 2009 at 6:57 PM, Bill Campbellcen...@celestial.com wrote: To really know

Re: [CentOS] How to tell if I've been hacked?

-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Ryan Pugatch Sent: Wednesday, August 19, 2009 5:23 AM To: CentOS mailing list Subject: Re: [CentOS] How to tell if I've been hacked? Christopher Chan wrote: Scott Ehrlich wrote

Re: [CentOS] How to tell if I've been hacked?

Also processes you thinkk you DO recognize: Just for testing how alert my co-workers were, i had a program called kswapd, just calculating prime-numbers... They never noticed. ;-) Without any preperation it's harder. No point in installing tripwire, activating apparmor/selinux

Re: [CentOS] How to tell if I've been hacked?

Check for failed logins in /var/log/messages Check if the /etc/passwd file have been changed Use commands like last, w and uptime. 2009/8/19 Eduardo Grosclaude eduardo.groscla...@gmail.com On Wed, Aug 19, 2009 at 1:57 AM, Bill Campbellcen...@celestial.com wrote: You cannot trust tools

Re: [CentOS] How to tell if I've been hacked?

On Wed, Aug 19, 2009 at 1:57 AM, Bill Campbellcen...@celestial.com wrote: You cannot trust tools like ``ps'', ``find'', ``netstat'', and ``lsof'' as these are frequently replaced by ones that are modified to hide the cracker's work. As a corollary, the only safe way to audit a suspected system

[CentOS] How to tell if I've been hacked?

There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? Thanks. Scott ___ CentOS mailing list CentOS@centos.org

Re: [CentOS] How to tell if I've been hacked?

Scott Ehrlich wrote: There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? rpm -Va is a good start for modified binaries/libraries. rootkit detectors is another

Re: [CentOS] How to tell if I've been hacked?

Christopher Chan wrote: Scott Ehrlich wrote: There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? rpm -Va is a good start for modified binaries/libraries.

Re: [CentOS] How to tell if I've been hacked?

Ryan Pugatch wrote: Christopher Chan wrote: Scott Ehrlich wrote: There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? rpm -Va is a good start

Re: [CentOS] How to tell if I've been hacked?

On Tue, Aug 18, 2009, Scott Ehrlich wrote: There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? To really know whether a system has been hacked, it's necessary to use