Russ Kay wrote:
Well, I just got a phone call stating that my server has gone over its
monthly bandwidth limit by 2TB. Taking into affect the amount of
bandwidth I used, there are 2.3TB of unaccounted activity. I did a few
checks to see what is going on (mainly to see if there are root kits or
sniffers). I checked the log and saw a lot of ssh activity (all denials
though). I am currently maxing out my pipe and need to stop this. So my
question is what should one actually do to see how his/her box is
compromised? What should I check, in which order should I check?
It's not fool-proof, but you can try
http://www.chkrootkit.org/
The problem is that ideally you would
a) pull the plug
b) Boot from clean media, and inspect the system
Given that you probably can't do this, I suggest you not aggravate your
visitor until you can kick him out.
If he hasn't compromised all of your binaries, you can take a look at
the traffic through netstat and tcpdump. If you want a more graphical
interface, ethereal can work with tcpdump output (you probably don't
want to run X on top of your already high bandwidth bills...)
Also, last time I did this, there was a key sniffer and trojaned ssh
sucking up passwords (yes, sniffing ptys, too). So have fun changing
all of them :(
-Ron
