View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Detecting a hacked Linode
Log in to Ask a Question

Detecting a hacked Linode

linux

I came across this article, which is worth a read if you want to know what to do when your Linux server is hacked:

http://security.linux.com/security/05/0 … tml?tid=35">http://security.linux.com/security/05/03/23/2239205.shtml?tid=35

The article references two IDS tools, Tripwire and chkrootkit. I know for a fact that both exist in the Gentoo portage repository, and only chkrootkit of the two is available from the Debian APT repository.

Latest versions of both, as well as more detailed information about the two tools, can be found here:

http://www.chkrootkit.org/

http://www.tripwire.org/

6 Replies

Tripwire isn't in debian because it isn't free ( as in freedom. )

If you are using debian integrit does more or less the same thing.

Mounting noexec,ro where possible is also a simple but good idea.

sednet is correct, if one wants tripwire on Debian, you can add the non-free category and get tripwire.

Another useful approach is to use RIBS to back your Linode up to a local directory, and have it email its reports to you. Any file that gets modified will be picked up by rsync and listed in the report, and you will still have access to older versions.

Erm, the tripwire package is in main but it's non-us not non-free since after all the package in debian is based off of the GPL sources :)

Package: tripwire

Priority: optional

Section: non-US

Installed-Size: 6564

Filename: pool/non-US/main/t/tripwire/tripwire2.3.1.2-6.1i386.deb

Overlord, thanks for the corrections. I didn't bother to check beyond seeing that it was apt-getable ;)

it used to be in non-free untill teh tripwire ppl released a GPL version which replaced what was in debian so it was moved :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct