Unusual Files or File Contents

Crackers frequently leave behind odd files or file entries. Some of these have been alluded to already, in "Odd System Behavior." In particular, /etc/passwd may hold usernames it shouldn't contain, and log files may show odd behavior, be edited, or even be missing entirely. Other files are very sensitive, as well. Pay particular attention to the files in /etc and its subdirectories. Most servers use configuration files in this directory tree, and the system startup scripts reside here, as well. Keep a backup of this directory tree on a write-protected removable medium so that you can verify that files haven't been altered.

Crackers often add program files to normal program file directories such as /bin and /usr/bin. Sometimes these files are common misspellings of ordinary commands, intended to run when the system administrator mistypes the target command. Of course, a Linux system contains so many program files that you can't reasonably check every directory for files that shouldn't belong there. In part, tools such as

Tripwire are designed to do this job. User Complaints

As a system administrator, you should know how your systems normally operate. Your systems' users will also know how the systems they use operate, but from a different perspective. Sometimes this perspective will be helpful in discovering problems. Your users may complain of system slowdowns (indicating unusually high load averages, network traffic, or low-memory conditions), odd program behavior, or other issues described earlier, in "Odd System Behavior." Treat such complaints seriously. They may or may not turn out to be security problems, but whatever the cause, the problems should be fixed.

Users might also notice problems with physical security, such as suspicious individuals watching people log in on public terminals or open doors that should be locked. Investigate such reports. If necessary, contact appropriate physical security authorities or others responsible for the security features in question.

Team LIB

0 0

Post a comment