This document outlines suggested steps for determining if your system has been compromised. System administrators can use this information to look for several types of break-ins. We encourage you to review all sections of this document and modify your systems to close potential weaknesses.
In addition to the information in this document, we provide three companion documents that may help you:
Note that all action taken during the course of an investigation should be in accordance with your organization's policies and procedures.
find / -user root -perm -4000 -print find / -group kmem -perm -2000 -printNote that the above examples search the entire directory tree, including NFS/AFS mounted file systems. Some find(1) commands support an "
-xdev
" option to avoid
searching those hierarchies. For example:
find / -user root -perm -4000 -print -xdevAnother way to search for setuid files is to use the ncheck(8) command on each disk partition. For example, use the following command to search for setuid files and special devices on the disk partition /dev/rsd0g:
ncheck -s /dev/rsd0g
Trojan horse programs may produce the same standard checksum and timestamp as the legitimate version. Because of this, the standard UNIX sum(1) command and the timestamps associated with the programs are not sufficient to determine whether the programs have been replaced. The use of cmp(1), MD5, Tripwire, and other cryptographic checksum tools is sufficient to detect these Trojan horse programs, provided the checksum tools themselves are kept secure and are not available for modification by the intruder. Additionally, you may want to consider using a tool (PGP, for example) to "sign" the output generated by MD5 or Tripwire, for future reference.
Also check for legitimate services that you have commented out in your /etc/inetd.conf. Intruders may turn on a service that you previously thought you had turned off, or replace the inetd program with a Trojan horse program.
find / -name ".. " -print -xdev find / -name ".*" -print -xdev | cat -vAlso, files with names such as '.xx' and '.mail' have been used (that is, files that might appear to be normal).
http://www.cert.org/summaries/
http://www.cert.org/tech_tips/root_compromise.htmlAlso review other appropriate files in our tech_tips directory.
http://www.cert.org/ftp/incident_reporting_formThe information on the form helps us provide the best assistance, as it enables us to understand the scope of the incident, to determine if your incident may be related to any other incidents that have been reported to us, and to identify trends in intruder activities.