About Us Staff, Mission, Goals, Contact Info...		Services Project Request, Support Agreement...		Forms / Checklists Account, Entrance, Exit...
Software Licenses MSDNAA, Microsoft, Labview, Novell...		Resources Training, Web, Email, FAQ, DNS...		Security Policy, Unit ISM List...

MIS / Security / Detection

This document covers best practices you should use which help detect a compromise on your system. By using these techniques you are not guaranteed detection of an intruder. However, you are proactively monitoring your system(s) to detect common hacker practices.

Periodically examine log files for connections from unusual locations or for other unusual activity. It has been our experience that it is best to automate this as much as possible so that it does not become an overwhelming task or is forgotten. Some tools which have been pointed out to MIS include:

• Log Scanner
• Logcheck
• Swatch
• Logsurfer

If you monitor more than one system, send all syslogs to a secured-as-possible loghost (meaning perferably no user accounts and only essential services running).

Use crontabs to monitor network interfaces and search for other signs of an intruder.

Periodically examine the file system for hidden directories, modified or added files, etc.

Periodically browse through critical system files that start/stop services or manage user information/accounts.

This log files will show you what processes have been running and any errors which may occur with them. Examine these logs to determine if there have been any problems with running services or any connections from unusual places.

Review web server log files (if there is a web server running) to determine if there have been any errors or compromises. There are commonly known exploits in certain publicly available cgi-scripts and in cgi-scripts packaged with certain web servers. Review CERT for these exploits and watch your web server logs for attempted accesses of these cgi-scripts. (Examples include: /cgi-bin/handler, /cgi-bin/phf, and /cgi-bin/test-cgi)

A record of user logins is available through the use of the last command. Periodically check the results of this command for suspicious connections from unknown or untrusted sites. You can also monitor your syslogs for logins and logouts from unknow or untrusted sites using some of the automated log checking scripts mentioned earlier.

If there is a functioning ftp daemon on the system, then a log of all successfull file transfers to the system is contained in /var/log/xferlog. Periodically examine this file and search for suspicious activity. (Sometimes you may notice filenames of specific exploits or hacker tools.)

A network interface in promiscuous mode is usually an indicator of a network monitoring program, commonly called a sniffer. Intruders use sniffers to capture username/password information and is commonly included in hacker toolkits and recipies. Under some unixes (SunOS) you can use ifstatus to monitor for this. Ifstatus is a utility which only produces output if a network interface is in promiscuous mode. This makes it the perfect tool to run frequently as a cronjob. Ifstatus is available from:

ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus

If ifstatus will not work with your version of unix look for other tools which can detect a network interface in promiscuous mode or programs that have the network interface open.

Some exploits try to overflow or crash programs in order to give root access. When programs crash an image of the running binary is saved as a core file to be used for debugging purposes. You can examine your file system for these core files on a regular basis. When you find a core file evaluate it with the file or strings commands to determine what program produced the core file. In some instances you may even find core files of hacker tools or exploit binaries. Periodically search for core files using the following find command:

find / -name core -print

Use the ProcTreeNode custom utility to periodically search the process listing for users which have unauthorized root shells.

Intruders often leave setuid scripts to easily give them root access at a later time. Monitor your file system for unusual binaries or scripts with the setuid or setgid bits set. Do this with a simple find script:

find / -user root -pem -4000 -print

Allowing accounts to have group and world writable home directories, .forward and .rhosts files opens your system to potential security problems. Periodically search for these types of problems and evaluate if they are necessary. MIS has written a PERL script, called snoop-it, which you can use to search for each of these things. In addition to printing the file permissions it prints the contents of the .forward and .rhost files.

A common technique for hackers on UNIX systems is to hide their tools in hidden directories such as '...', '.. ', '.xx' and '.mail'. Use the find program to look for these types of hidden files and/or directories:

find / -name ".*" -print

Use the fileaudit utility to look for admin defined goofy directories.

These files identify trusted accounts and machines which enable users to login without using a password. In particular Look for '+' entries and inappropriate non-local host names contained in these files. In addition, verify that these files are not world or group writable. You can use the previously mentioned snoop-it PERL script to monitor the contents of .rhosts files.

Periodically examine the password file for accounts with no passwords, accounts with changed shells, gid, or uid and added accounts. It is also appropriate to check for and delete expired accounts.

Inspect /etc/inetd.conf for unauthorized additions or changes. This file contains the list of servers that inetd invokes when it receives an Internet request over a socket (ie. telnet, rlogin, ftp, pop, imap, etc). In particular, search for and check all entries that execute a shell program (for example, /bin/sh or /bin/tcsh).