“So you think you may have been hacked, but you’re really
not sure ’cause some crackers seem pretty stealthy. There really is
only one way to know – employ a file integrity checker, like
Tripwire or AIDE. In this article, I’ll explain why you need
Tripwire/AIDE, what they do, and how you can deploy Tripwire. I’ll
give you a sample configuration that you can tune….”
“A cracker breaks into a system by exploiting an already present
vulnerability. After he hacks your computer, he’ll usually install
a rootkit and create or install several Trojan horses. The rootkit
replaces many of your system utilities to hide the attacker’s
activities. For instance, it replaces your ps command with one that
will not show the attacker’s programs. The Trojan horse programs
give the attacker a means to get back into your system with root,
so they don’t have to use the same exploit over and over.
(Sometimes, the cracker will even patch the original vulnerability,
to protect his new property!)”
“Your first (smaller) problem is this: you may not even know
you’ve been hacked! Often, the cracker doesn’t want to disrupt your
use/business – he just wants a launching platform for IRC bots,
DDoS programs, and sniffers. He’ll use his rootkit to stay out of
sight and the Trojan horses to regain access to the system without
tripping most forms of IDS. But, what if you do manage to realize
you’ve been hacked?”
“Your second, larger, problem comes in here: you don’t know
what’s changed on your system. Your system diagnostic tools have
all been replaced by a rootkit! You can’t trust ps, top, w, or even
ls…! You need some way of figuring out exactly what files have
changed, so you can put things back, patch any vulnerabilities, and
trust your own system again. You need a file integrity checker. You
absolutely, positively gotta kill every last illegal binary in the
room. Accept no substitutes!”