[Cialug] Attack troubleshooting?

Zachary Kotlarek zach at kotlarek.com
Tue Mar 1 01:01:58 CST 2011 

On Feb 28, 2011, at 10:50 PM, Dave Weis wrote:

>> `lsof` or `netstat`would give you a better idea what was 
>> using the network.


> If it has a rootkit those are probably trojaned. I've used iptables -I OUTPUT -j LOG in the past to see any traffic leaving the box. 


Right, but that seems like a zebras reaction to a hoofbeats symptom -- I know the subject like said "attack" but what I read in terms of actual symptoms and troubleshooting was "I'm not sure what's causing this unexpected network traffic even after a cursory inspection of the process list -- I'm worried it might be some sort of compromise" not "I've determined that someone is using my box for nefarious purposes after eliminating more mundane causes for this unexpected traffic". Jumping to the later conclusion without proper vetting is the sort of thing that gets pool.ntp.org hosts kicked offline because someone reports that their routers are being "hacked" on UDP port 123.

I'm just saying I'd start with `lsof` or `netstat` to see what the box thinks is happening. Those tools provide much better information about network activity than `ps`, which was the only diagnostic test that was reported so far. It's possible that it's just some update process or cron job that's been forgotten about. I recently investigated a connection to tor0.local.host.name. on TCP port 22 that looked nasty in the logs but it turned out to be just a bad PTR record for my own server and valid SSH connection.

If there is a good reason to believe the box has been compromised I agree, the on-disk tools are not trustworthy. Though that would include `iptables`, so I wouldn't trust it any more than `netstat`. As far as compromised local tools go, you can easily see if `lsof` or `iptables` is lying to you just by comparing its output to any external network monitoring system (like a firewall or packet sniffer). A lying local tool would be fairly good evidence of a system compromise, at which point I'd be totally on-board with the striped African equines.

I agree with all the other advise about seeking help, taking the host offline, running scanning tools, not trusting your binaries and all that if you really think there's an attack happening. I just think that it's worth checking for boring answers before you get all rootkit-y.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20110301/d3f23f90/attachment.bin>

More information about the Cialug mailing list