Security Portal: Tripwire - The Only Way to Really KnowJul 11, 2000, 07:51 (2 Talkback[s])
(Other stories by Jay Beale)
"So you think you may have been hacked, but you're really not sure 'cause some crackers seem pretty stealthy. There really is only one way to know - employ a file integrity checker, like Tripwire or AIDE. In this article, I'll explain why you need Tripwire/AIDE, what they do, and how you can deploy Tripwire. I'll give you a sample configuration that you can tune...."
"A cracker breaks into a system by exploiting an already present vulnerability. After he hacks your computer, he'll usually install a rootkit and create or install several Trojan horses. The rootkit replaces many of your system utilities to hide the attacker's activities. For instance, it replaces your ps command with one that will not show the attacker's programs. The Trojan horse programs give the attacker a means to get back into your system with root, so they don't have to use the same exploit over and over. (Sometimes, the cracker will even patch the original vulnerability, to protect his new property!)"
"Your first (smaller) problem is this: you may not even know you've been hacked! Often, the cracker doesn't want to disrupt your use/business - he just wants a launching platform for IRC bots, DDoS programs, and sniffers. He'll use his rootkit to stay out of sight and the Trojan horses to regain access to the system without tripping most forms of IDS. But, what if you do manage to realize you've been hacked?"
"Your second, larger, problem comes in here: you don't know what's changed on your system. Your system diagnostic tools have all been replaced by a rootkit! You can't trust ps, top, w, or even ls...! You need some way of figuring out exactly what files have changed, so you can put things back, patch any vulnerabilities, and trust your own system again. You need a file integrity checker. You absolutely, positively gotta kill every last illegal binary in the room. Accept no substitutes!"