Information Technology Reference
In-Depth Information
the goal of intercepting information regarding user accounts and passwords. The
first step in determining whether there is a sniffer in the system is to check if there
is a process that uses a network interface in promiscuous mode. It is not possible
to detect promiscuous mode interfaces if the machine has been rebooted after the
discovery of the intrusion or if it is operating in single user mode. It should be kept
in mind that certain legitimate network monitors and protocol analyzers could set
the network interface to promiscuous mode. Thus, the discovery of a promiscuous
interface does not necessarily mean that a non-legitimate sniffer is at work in the
system.
Another aspect to consider is that the log files of a sniffer tend to grow quickly;
hence a utility like
df
might come in handy for determining whether a part of the
file system is bigger than expected. Remember that
df
is often replaced by a Tro-
jan horse in cases where a sniffer has been installed; so make sure you've got
a clean copy of the utility before you use it. If a sniffer is found in the system
you should examine the output files to determine what other machines are at risk,
i.e., what other machines appear in the destination field of the intercepted pack-
ets. In cases where the same passwords are used, or the source and destination
machines have a trusted relationship, the source machine is at risk nevertheless.
In certain cases the sniffers encrypt their logs; hence it is important to check files
that increase rapidly in size. Also keep in mind that there may be other machines
at risk in addition to those that appear in the sniffer log. This is because the in-
truder may have obtained previous logs from the system or through other types of
attack.
Another operation is the search for files that are open at a specific time. This may
be useful (especially on a machine that has not yet been turned off) to check for
backdoors, sniffers, eggdrop IRC bots, port redirectors like “bnc,” etc. The program
that may be used for this purpose is called LSOF (LiSt of Open Files). It is advisable
to run it from a CD-ROM with statically precompiled binaries, in order not to fall
into an attacker's booby trap, making a trojanized version of this tool “available” to
investigators.
There are also tools that are used to search for
rootkits
, i.e., tool that are installed
by the attacker after the target machine has been compromised. One of the most
widely used tools is
chrootkit
(
http://www.chrootkit.org
)
that has a list of rootkits of
varying degrees of sophistication that it should be able to recognize.
For certain types of analysis, in order to identify the features of rootkits or other
tools installed by the attacker, a debugging or even a reverse engineering operation
may prove necessary. This type of activity may require some minimum legal as-
sessment, to ensure that no laws prohibiting reverse engineering are broken, such as
DMCA.
