CONTACT US | SITEMAP
 
 
Search:
 
Home > Resources > Network Abuse > Intrusion

Intrusion

It is in which attempts made for unauthorized access to a system with the purpose of simply to test the security of the network, use the facility as a launching pad for further attacks on other systems, to modify information or to steal information, etc.

Problem:

Intrusion is committed by gaining initial access to a particular host by discovering a password for a user account on the system. The intruders will then attempt to become root on the compromised system. Intruders are actually committing the following activities:

  1. Sniffer Attacks - capturing data as it traverses the net

  2. E-mail attacks - gaining system access through vulnerabilities in network service software

  3. Network File System attacks - gaining data access through vulnerabilities in operating system software

  4. Network Infrastructure attacks - denial of service through attacks on routers and name servers, i.e. for purpose of impersonating the server

  5. IP spoofing attacks - gaining system access by tunneling through firewalls

  6. WWW threats - gaining users or system information through the web or cgi programs.

Solutions:

  1. Report the intrusion to your Internet Service Provider

    The report should include the following:

    1. The originating IP address

    2. Timestamp with the exact time zone, i.e. GMT, PDT, MYT

    3. Brief description on the method used in the activity

  2. Check your systems for signs of intrusion due to this incident.

    1. Check the su, ftpd, and ftp binaries (for example, "/bin/su", "/usr/ucb/ftp" and "/usr/etc/in.ftpd" on Sun systems) against copies from distribution media.

    2. Check for the presence of any of the following files: "/usr/etc/..." (dot dot dot), "/var/crash/..." (dot dot dot), "/usr/etc/.getwd", "/var/crash/.getwd", or "/usr/kvm/..." (dot dot dot).

    3. Check for the presence of "+" in the "/etc/hosts.equiv" file.

    4. Check the home directory for each entry in the "/etc/passwd" file for the presence of a ".rhosts" file containing "+ +" (plus space plus).

    5. Search the system for the presence of the following set-uid root files: "wtrunc" and ".a".

    6. Check for the presence of the set-uid root file "/usr/lib/lpx".

    7. You may refer to the following URL for further intrusion detection checklist:

      http://www.cert.org/tech_tips/intruder_detection_checklist.html

  3. Take the following steps to secure your systems.

    1. Save copies of the identified files to removable media.

    2. Replace any modified binaries with copies from distribution media.

    3. Remove the "+" entry from the "/etc/hosts.equiv" file and the "+ +" (plus space plus) entry from any ".rhosts" files.

    4. Remove any of the set-uid root files that you find, which are mentioned in A5 or A6 above.

    5. Change every password on the system.

    6. Inspect the files mentioned in A2 above for references to other hosts.

    7. You may also go the following site for further information on steps for recovering from a UNIX root compromise:

      http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
   

Disclaimer | Copyright © 2008 - CyberSecurity Malaysia