# how can i check if i was hacked

## queen

I saw in my incoming logs of the router some ips. I suppose they are attempts of attack or just trying connection for dc++. 

I checked 

```
last
```

 and couldn't find anything unusual, except my login, reboot. 

My router is linksys wrt54gc which has spi firewall enabled and few ports that i opened for p2p programs. 

Is that enough to say i wasn't hacked? What other things i should check.

----------

## Dan

~ # eix rkhunter

* app-forensics/rkhunter 

     Available versions:  1.2.7-r1 ~1.2.8

     Homepage:            http://www.rootkit.nl/

     Description:         Rootkit Hunter scans for known and unknown rootkits, backdoors, and sniffers.

is a start

----------

## queen

 *dcoats wrote:*   

> ~ # eix rkhunter
> 
> * app-forensics/rkhunter 
> 
>      Available versions:  1.2.7-r1 ~1.2.8
> ...

 

Thank you.emerging now.

EDIT: i ran

```
 rkhunter -c 
```

 and found a clean system.  :Very Happy: 

But i found this warn: * Check: SSH

   Searching for sshd_config...

   Found /etc/ssh/sshd_config

   Checking for allowed root login... Watch out Root login possible. Possible risk!

    info:

    Hint: See logfile for more information about this issue

   Checking for allowed protocols...                          [ OK (Only SSH2 allowed) ]

what i have to correct or it's a standard output? a log file /var/log/rkhunter.log wasn't created, although i specified yes in /etc/cron.daily/rkhunter

----------

## liber!

Your SSH is configured that it allows root login. It's better to disable this and only login trough ssh by a unprivileged user and su (or sudo) if you need to administrate.

The direction in /etc/ssh/sshd_config is 

```
PermitRootLogin no

```

----------

## yabbadabbadont

Of course, if you don't run sshd by default, then there isn't anything to worry about.   :Very Happy: 

----------

## liber!

Maybe it's best to see if you don't run services you don't need...

----------

## queen

 *liber! wrote:*   

> Your SSH is configured that it allows root login. It's better to disable this and only login trough ssh by a unprivileged user and su (or sudo) if you need to administrate.
> 
> The direction in /etc/ssh/sshd_config is 
> 
> ```
> ...

 

I checked the file and it was commented like this #PermitRootLogin yes. 

I assume that the program doesn't ignore the comment. So, for safety i uncommented and wrote 

```
PermitRootLogin no

```

[/quote]

As for the services, sshd was at boot level. It was set during gentoo installation about an year ago. These are services that run:

rc-update show

 * Broken runlevel entry: /etc/runlevels/default/pcmcia

               acpid |      default

           alsasound | boot

            bootmisc | boot

          bootsplash |      default

             checkfs | boot

           checkroot | boot

               clock | boot

            coldplug | boot

         consolefont | boot

            hostname | boot

             keymaps | boot

               local |      default nonetwork

          localmount | boot

             modules | boot

              net.lo | boot

            netmount |      default

           rmnologin | boot

                sshd | boot

           syslog-ng |      default

             urandom | boot

          vixie-cron |      default

                 xdm |      default

----------

## T38

If you've been hacked by a *truly* clever person, you may never know it.  It is possible (although quite difficult) to root a box so thoroughly that your system tools (syslog, ls, ps, etc.) aren't giving you accurate results, so if you've got a reasonable suspicion that someone has broken in, the only way to be sure your computer is secure is to burn it to the ground and rebuild it from scratch.

Now that I've given you the gloom and doom, here's what I would really do  :Very Happy: 

First, this same thing happened to me once--I had built a Linux host that I had connected to the Internet, and found a bunch of log entries that left that  *Quote:*   

> oh, @#%!!! I've been hacked

  feeling in the pit of my stomach.  After a bit of forensics, I determined that I hadn't been hacked--although a bunch of lusers with nothing better to do had been hammering my system with ssh attempts, they hadn't figured out my user name and password.  This is almost certainly what happened to you, as well.  SSH attempts are pretty common

Like I mentioned above, it is possible for a savvy cracker (as opposed to a 5cr!pt k!ddi3) to corrupt your system tools, so to make sure your box is clean, you'll need to investigate from a known-secure platform.  From a clean machine make a Gentoo install CD, Knoppix CD or some other live CD and reboot your suspect computer using the live CD.  Install a rootkit detector of your choice on the ramdisk after you've booted from a live CD.  I don't know how big rkhunter is, but I've had success using chkrootkit with a Knoppix live CD.  Mount your hard drive partitions and run the root kit checker, and if this comes up clean, you are probably ok.  It might be worth checking your logs while you've got the hard drive mounted under the live CD, as well.

By now, you should have a reasonable certainty that you've either been hacked or that you just spooked yourself with normal--albeit annoying--background noise.  If you think you are probably clean, reboot into Gentoo and do some poking around just to make sure.  netstat is a great tool for seeing what your computer is listening for:

```
$ sudo netstat -ep

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name   

tcp        0      0 myhost:33364              remotehost.example.:ssh ESTABLISHED joeuser  28137      10923/ssh           

tcp        0      0 myhost:45833              remotehost.example.:ssh ESTABLISHED joeuser  27979      10913/ssh         

tcp        0      0 myhost:46008              mail.example.com:imap   CLOSE_WAIT  joeuser  16374      10183/thunderbird-b 

<...snip...>
```

If you see anything suspicious, open up Google and do some searching.  Next, you might want to use a security scanner like nmap or nessus (yes, you can emerge these too) from a remote machine and make sure the only ports listening on your computer are ports that you know are open (ssh, http, etc.).  If you see anything suspicious, you'll need to investigate further.  Finally, if you are really paranoid and really patient, emerge and run tcpdump, then monitor the output for anything suspicious.  Once you've done all this, you won't *know* that your PC is clean, but you will have established a pretty high probability that it is...or else, you will have seen something evil, and you will know that you need to rebuild it  :Sad: 

Once you've got what you believe is a clean computer, you can set things up to keep it secure.  Like I mentioned above, I use chkrootkit to search for rootkits on my computers.  Since I'm lazy, and don't always remember to do everything I need to do, I run it in cron at night:

```
#Check for rootkits (bugs with chkrootkit and LKM--ignore LKM warnings):

5 22 * * * Date=`/bin/date`; /usr/local/chkrootkit-0.46a/chkrootkit 2>/dev/null 

| /bin/egrep -vi "(lkm|no\ suspect\ files|nothing\ (found|deleted)|not\ (install

ed|infected|tested|found|promisc))" | /usr/bin/nail -r "root@myhost.example.com" -s "chkrootkit output for ${Date}" my-email@example.com
```

You can probably do something similar with rkhunter.

Next, since SSH username and password guessing is pretty common, turn off root access via ssh, and make sure that all of the passwords on your user accounts are tough to guess (8 characters, no dictionary words, alpha-numeric with a few special characters, etc.--you know the drill).  Even though I've got a hardware firewall between the Internet and my internal network, I still run iptables on all of my PCs for an extra layer of security, and I reject SSH from anything but networks I know I might use.

Set up scripts to monitor your log files, and have them e-mail anything suspicious to you.  I've written my own scripts, but there are plenty of FOSS log monitors, too.

Finally, baseline your system so you know what is normal and what isn't.  What does your CPU utilization look like?  How about memory usage?  Bandwidth usage?  Disk space and I/O?  Cacti or MRTG can help here.  Any large, unexplained changes are grounds for investigation.  Use something like Tripwire to monitor changes to your file system.  If your binaries or config files have changed, but you haven't emerged anything, you might want to do some digging to find out why.  Use nmap, ethereal, nessus, etc. to see what ports are open on your computers, and rescan periodically to verify that things haven't changed.

----------

## madisonicus

 *T38 wrote:*   

> good stuff

 ++

I'd also suggest an intrustion detection system like aide or tripwire.  Both are in portage and, if configured properly, are a great way to keep track of what changes on your system.  Combined with something like sys-apps/logwatch, you'll be much more likely to catch anyone trying to brute force your system.

A good firewall between your WAN and LAN is very important, but I've found a NAT to be even more effective at combating random probes and various spoofing attempts.

Finally, eight character passwords?  Make em as big as you can remember them and include at least one special character, one number, one lower, and one upper case letter.  I use app-admin/apg to get me started with passwords.

-m

----------

## T38

Sorry--I meant at least eight characters   :Embarassed:   and yes, throw in as much obfuscation in the form of mIxEd CaSe, numb3r5 and spec!@l ch@r&cter$ as possible.

----------

## madisonicus

 *T38 wrote:*   

> Sorry--I meant at least eight characters    and yes, throw in as much obfuscation in the form of mIxEd CaSe, numb3r5 and spec!@l ch@r&cter$ as possible.

 Figured that, just wanted to be clear.    :Laughing:   Especially since you had the rest of it down cold.    :Cool: 

----------

## madisonicus

Going back to the OP again, though... Intrusion detection is very difficult to accomplish after the fact.  Every bit of it depends on having a clean system to begin with.  Since it is possible to very thoroughly compromise a system by undermining the very tools you might use to detect intrusions or trojans, you really need to have put in place a system like T38 described beforehand to know for sure.

Based on what you describe, there's no reason to think you've been hacked.  However, if you haven't put in place appropriate security measures, then there's no better time to start than now.

Security is all about assessing what you want to do with the computer, what things using your system like that will expose you to, and what level of security is appropriate to protect the information/capabilities you need.  Defense in depth is absolutely key since layers of security are much more complicated to compromise.

Again, no system is totally secure, but you can make it more costly to compromise your system than the information/capability would be worth to acquire.  Arguably the most important part is setting up and reviewing your logs such that you are likely to notice any attacker before they are able to circumvent your security.

Starting points for security:

http://www.gentoo.org/doc/en/security/security-handbook.xml?full=1

http://tldp.org/HOWTO/Security-Quickstart-HOWTO/intrusion.html

http://www.cert.org/tech_tips/usc20_full.html

http://www.securityfocus.com/infocus/1416

http://www.linuxsecurity.com/

Yell if you have other questions.

----------

## queen

Thank you all for the tips. I was offline because my laptop was on repair. 

As for some of the tips every one gave me. Here are my replies: 

1. I didn't open a port for ssh in the router. I wanted once to connect from outside but for some reason it didn't work so i disabled it. So no one can ssh me.  

2. My router linksys wrt54gc has firewall built in and i opened only few ports that i need. I am stingy in this regard. 

3. I use strong passwords. My email was hacked many years ago, so i learned the lesson.

4. I have wireshark (ethereal) and checked it. It's ok. 

5.I have nmap too. Checked once open ports on my brother network to see if he is vulnerable. Now i check on mine. I try to check  all udp and tcp. takes a long time.I use this command

```
 nmap -sU -p U:1-65535,T:1-65535 localhost
```

I get this:

```
PORT      STATE         SERVICE

68/udp    open|filtered dhcpc

8010/udp  open|filtered unknown

24000/udp open|filtered unknown

32869/udp open|filtered unknown

32870/udp open|filtered unknown

43090/udp open|filtered unknown

61355/udp open          unknown

Nmap finished: 1 IP address (1 host up) scanned in 8.333 seconds

```

Why 61355 is open? I never opened this port. 

I would like to use the script of chkrootkit you wrote as cronjob, but unfortunately rkhunter requests to press enter after each checkup. I like rkhunter because it seems to check quite a lot of rootkits. is chkrootkit checks the same rootkits as rkhunter? which one is better? Would be nice to get a more automated rkhunter. 

in which log files i should look for suspect things?

6. CPU usage is normal. I do have bandwidth problems. sometimes i get packet loss. I checked with pathping. I also saw today in wireshark that  it can't reach some ports (although the isp doesn't block any ports). 

7.which log programs are better? logwatch, aide,tripwire?

8. There is one thing that i would like to change. In my router i have encryption wep,wpa,wpa2. But i can't get ip using dhcpcd when i put any encryption. It simply hangs there forever. So i am forced to use without encryption. I would like to set up some encryption. I arranged the encryption both on the client and server. 

9. iptables seems to be a nightmare. I prefer to use the router as firewall. 

10. i have a clean bootable cd of gentoo, but it's rather old 2005. is it good enough to check the system?

I"ll be happy to get help on these issues.

----------

