Intruder Detection (Unix Power Tools, 3rd Edition)

48.7. Intruder Detection

From the CERT Intruder detection checklist at http://www.cert.org/tech_tips/intruder_detection_checklist.html comes a variety of helpful steps to take to determine if your system has had an intruder.

Check logfiles first, and then check for any unusual setgid (Section 49.5) or setuid files.

A key symptom that something is wrong with your system is when something appears that doesn't belong. This includes files, directories, users, and groups. Unfortunately, these are also almost impossible to detect unless they occur in obviously incorrect locations.

You can search for modified files based on a time range using the find (Section 9.1) command. For instance, the following two commands will find all files that have been changed in the last two days excluding today. The results are piped to cat for easier reading:

> find /  -mtime -2 -mtime +1 -exec ls -ld {} \; | cat
> find /  -ctime -2 -ctime +1 -exec ls -ldc {} \; | cat

Running these commands as root will ensure you have access to all files and directories. Note that depending on the size of your system, the command can take a considerable amount of time.

Also check for hidden files, those beginning with a period. The following command searches every directory but NFS mounted ones for files beginning with a period (.):

find / -name ".*" -print -xdev | cat -v

In addition, review critical files such as /etc/passwd and the crontab file (Section 25.3), checking for new and unusual entries. You might want to keep off-disk copies of the files to use for comparison; online versions can also be compromised.

Check binaries for possible changes and replacements -- including backups -- and changes to files such as xinetd.conf, allowing services such as telnet that were originally disallowed.

In other words, according to CERT, knowing your system and checking for changes using built-in utilities can be the best approach to take to detect intrusion.

-- SP