dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


LinuxGazette.net: Intrusion Detection with Tripwire

Sep 16, 2004, 07:00 (1 Talkback[s])
(Other stories by Barry O'Donovan)

"A little over two years ago I was hacked. Someone broke into a web server I was administrating that had only Apache and OpenSSH running publically, and all packages were up-to-date. The hacker replaced my ps binary with his own to hide his processes, added a new service that was executed from the binary '/bin/crond ' (the space is intentional--it makes it look like a normal and an expected process in a running-processes listing and a normal binary in a directory listing). The 'crond ' process gathered usernames and passwords and stored them in a text file in the directory '/dev/pf0     /   /', (5 and 2 spaces respectively), which also contained a root shell. The chances of me finding and identifying this intrusion would have been extremely remote if I had not been running Tripwire.

"Tripwire is a file integrity checker for UNIX/Linux based operating systems and works as an excellent intrusion detection system. It will not prevent an intrusion; for this see my previous articles on setting up firewalls and securing a Linux distribution for help..."

Complete Story

Related Stories: