If your system has been compromised, or if you think it might have been compromised, you should immediately check for files that may have been modified by the intruder. The intruder may have changed files in an extremely subtle way to install a backdoor so they can break into the system again.
For example, the intruder might alter a standard script so that a particular parameter opens a backdoor, or he or she may simply make a vulnerable script sticky, or executable only by the script's owner, so they can use it to break
root
. The
find
command is an extremely useful utility for finding such changes.
- find command
The
find
command is used to locate files in the specified path or paths that match the criteria given by
the options. The following table displays various usages of the find
command.
You should have some idea when the break-in may have occurred,
so use the
find
command to search for file modifications within the timeframe you believe the attack occurred.
For example, the following will find all files in the
/etc, /sbin
, and
/usr/sbin
directories whose contents have been modified within the past 48 hours:
find /etc /sbin /usr/sbin -mtime -2 -ls
Because sticky files are a particular security hazard, you may wish to look specifically for all sticky files on your filesystem. The
following table shows various find command lines that search for sticky files.
Command |
DESCRIPTION |
find /etc /sbin /usr/sbin -ctime -1 -ls
|
Ffinds all sticky (user or group) files in the requested directories |
find / -perm -6000 |
Ffinds all sticky (user or group) files on your filesystem |
find / -perm -6000 -ctime -2
|
Ffinds all sticky (user or group) files on your filesystem, whose attributes have been changed within the past 48 hours
|
For more information, consult the man pages using the command man find.
The next lesson describes the
cron
facility.
The following section discusses potentially cracked abused files.
How to find various, potentially cracked or abused files.
The following screen illustrates the results.
On Red Hat Enterprise Linux, information about user accounts and groups are stored in several text files within the
/etc/ directory.
When a system administrator creates new user accounts, these files must either be edited manually or applications must be used
to make the necessary changes.