First, you need to know whether an intruder is on your system. How to
do that is worth at least another entire chapter that I haven't written
yet. You'll have to wait for the next edition of this book. However, there are
some hints for sysadmins I can give you on the basis of first hand experience
from our Happy Hacker Wargame. Don't expect this to be more than a tiny bit of
all you should be doing to detect intruders, however.
Look for unusual traffic patterns -- for example, many ftp sessions, or
a user who hasn't logged into a shell account for months suddenly spending
hours at a time logged in.
A new user name and account that no one remembers creating
Watch the processes. A skilled hacker may replace the "ps" command with
a Trojan that hides his or her activities. However, you might see a high CPU
utilization when the processes running couldn't account for it. Time to go
red alert!
Check whether system configurations have changed, for example new ports
open. Or if your policy is to automatically kill all processes when a user
logs off (most ISPs do this), perhaps you will discover processes left
running after logoff.
Look for an Ethernet card on your local area network that is in
promiscuous mode (meaning it is accepting all packets broadcast on the
network). That probably means an intruder is sniffing your network with a
program hidden on the computer with the promiscuous mode card.
Look for suspiciously large files turning up. They may be secret sniffer
logs.
Do you notice a hacked Web page or obscene Message of the Day -- OK,
this suggestion is lame, you knew those signs of hacker attack already!
Of course it's far better to detect your attacker before he gets
inside. Signs that someone is trying to break in are basically activities that
we all like to do such as port scans and telnet connections to unusual ports.
So now that we know it's time to fight intruders, let's start with free
anti-crime tools that are great not only for sysadmins, but also for causal
users who just want to have fun.
