You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2008-08-13 14:40:42
- scrawler
- Member
- Registered: 2005-06-07
- Posts: 312
I was not hack--er, compromised.
I don't think I have been hacked. I don't think my computer has been
compromised in any way, but ignorance is bliss, and I would like to be
sure. What steps can I take to find out? I run chkrootkit every now
and then , which usually results in a few warnings at the end which I
ignore--warnings having to do with *.pacsaves and such. I don't think
chkrootkit by itself is comprehensive enough, but I don't know.
I would like to have a reliable way to backup all of my essential
configurations in one place and my data in another in such a way that
I can wipe my system and restore it in the same state minus any boogy
men. I backup stuff now, but in such a way that the boogy men would
come along for the ride.
Am I being clear? Protecting my computer is important, but how can I
insure that I have a clean backup that can be put back in place with
minimal hassle after a compromise? Ideally with data and structure/config
independant of each other (a fresh install would provide the structure).
What would you suggest?
Offline
#2 2008-08-13 18:36:26
- Barrucadu
- Member
- From: Hull, England
- Registered: 2008-03-30
- Posts: 1,157
- Website
Re: I was not hack--er, compromised.
You could just backup your /home, which would preserve your files and settings. And as for seeing if you are compromised, other than noticing odd behaviour, I can't think of anything, sorry.
Offline
#3 2008-08-13 18:42:49
- Daenyth
- Forum Fellow
- From: Boston, MA
- Registered: 2008-02-24
- Posts: 1,244
Re: I was not hack--er, compromised.
Well, you could use things like tripwire, rkhunter, bastille. Also run log scanning programs to alert you to any logins. Minimize ports that are open to the outside. There are a few other threads on here about security, search.
[git] | [AURpkgs] | [arch-games]
Offline
#4 2008-08-13 18:44:40
- B-Con
- Member
- From: Frisco, TX
- Registered: 2007-12-17
- Posts: 549
- Website
Re: I was not hack--er, compromised.
I don't think my computer has been
compromised in any way, but ignorance is bliss, and I would like to be
sure. What steps can I take to find out?
Examine your travel records for trips to Las Vegas in early August. If you find any, check the exact date against the dates that DefCon was held that year. If your stay and DefCon overlapped, you have been compromised.
If there is no overlap, you should pursue other potential avenues.
- "Cryptographically secure linear feedback based shift registers" -- a phrase that'll get any party started.
- My AUR packages.
- I use i3 on my i7.
Offline
#5 2008-08-13 21:24:13
- phildg
- Member
- Registered: 2006-03-10
- Posts: 146
Re: I was not hack--er, compromised.
Something like aide for file integrity checks and snort for intrusion detection. Of course these are no use if you're already compromised.
In addition, configuring iptables appropriately, making use of hosts.allow and hosts.deny, configure things like X and mysql not to bind to a tcp socket. And, as mentioned above run log analysers.
Any daemon that must accept connections from the internet should be locked down and configured correctly, for example ssh should only only public key auth and protocol v2, other things like apache should be run as a restricted user, preferably in a chroot environment.
This is by no means exhaustive, but should get you started
There is no easy way to recover from a compromised machine, until you identify the time of the intrusion the integrity of backups can't be guaranteed
Last edited by phildg (2008-08-13 21:26:00)
Offline
Pages: 1