When a server has been compromised, the hacker usually covers his/her tracks by deleting all records of his/her activity from the logs. Additionally, he/she installs some tools to enable him/her to create a backdoor, in order to facilitate a return visit later on.
Ever clever, the hacker usually fixes the vulnerability which had allowed him/her to gain entry, so that other hackers can't infiltrate it in turn.
However, the hacker's presence can be revealed by certain administrative commands which display a list of processes underway, or of users connected to the machine. For this reason, tools called rootkits have been developed to overwrite these system tools and replace them with equivalent functions which hide the hacker's presence.
It is easy to see why, in the absence of obvious damage, an administrator may find it difficult to tell if a computer has been compromised. One of the first things to do once an intrusion has been detected is to establish when it occurred, in order to determine which other servers may have been affected, and how.
In general, servers use files to store logs of their activity, and in particular any errors encountered.
Therefore, after a computer attack, it is rare for the hacker to successfully compromise a system on the first try. He/she usually works by trial and error, testing out various requests.
This is why log monitoring can be used to detect suspicious activity. It is particularly important to monitor the logs of security-related software; as well-configured as they may be, they can still be the target of an attack.
Checking for the presence of rootkits
There are some programs (chkrootkit, for example) which are used to check if there are rootkits on a system. However, in order to be able to use such tools, you must be certain of the integrity of the tool and the results it displays onscreen. Therefore, a compromised system cannot be considered reliable.
In order to ensure system integrity, it is therefore necessary to detect intrusions at a higher level. This is the goal of integrity checkers like Tripwire.
The software Tripwire, originally developed by Eugene Spafford and Gene Kim in 1992, is used to ensure system integrity by constantly monitoring changes to certain files and folders. Tripwire carries out integrity checks and maintains an up-to-date signature database. At regular intervals, it inspects the following file characteristics in order to tell if they have been modified and/or compromised:
- date last modified;
- access date;
- file size;
- file signature.
Alerts are sent by email, preferable to a remote server, so as to keep the hacker from erasing them.
Limits to integrity checking
For the results of an integrity checker to be reliable, you must be certain of the machine's integrity at the time it is installed. It is also very difficult to configure this kind of software, as the number of files that may need to be monitored can be very large. What's more, whenever new applications are installed, their files must be configured to be checked.
Additionally, this kind of solution tends to send many false alarms, especially when the system is only modifying configuration files or updating itself.
Finally, if the machine is actually compromised, the hacker might attempt to compromise the integrity checker before the next update, which is why it is important to store alerts on a remote machine or a non-rewritable external medium.
Article written 22 May 2006 by Jean-FranÃ§ois Pillou.