I want to analyze my ubuntu box to detect if it was been hacked. My question is: what are all the place where to look to discover if some malicious software are started ? The following is some kind of raw list:
and ?
My question is totally honest and not malicious. It's only to detect if my box was been compromised.
The objective of malware is to do something. So it will need to communicate with the outside world. So the best approach is to have a look at the network traffic that is occurring on your computer.
I like dnstop utility. Install by sudo apt-get install dnstop
Then run the utility against your network card
sudo dnstop -l 3 eth0
When the utility runs press the 3 key, this will change the screen to display all the dns requests that are made by your computer.
In my case I went to Ubuntu and it tried to access the following
Query Name Count % cum%
-------------------- --------- ------ ------
www.gravatar.com 2 40.0 40.0
askubuntu.com 2 40.0 80.0
ny.stackexchange.com 1 20.0 100.0
This gives me an idea of what web sites were accessed. What you need to do is not do anything and sit back and wait for a while to see what your computer accesses. Then laboriously follow up on all those web sites it accesses.
There are many tools you could use, I thought this was an easy one for you to try out.
You can never know if your PC is already infected or not. You might be able to tell by listening to the traffic coming from your computer. Below are something that you can do to ensure that your system is OK. Keep in mind that nothing is a 100%.
As far as finding out if you've been hacked; you'll get pop-up ads, redirects to sites you didn't intend to visit, etc.
I would have to say that /sys /boot /etc among others are considered important.
Linux malware can also be detected using memory forensics tools, such as Volatility or Volatility
Also you may want to look at Why do I need anti-virus software?. If you want to install an Anti-virus software I would recommend that you install ClamAV
You can also try rkhunter which scans your pc for a lot of common rootkits and trojan horses.
There are specialized distributions like BackTrack that contain software to analyse situations like yours. Due to the highly specialized nature of these tools there is usually a quite steep learning curve associated with them. But then if this is truly a concern for you, it is time well spent.
It's obvious to you (for others sake I'll mention it) if your running your system as a VM then your risk potental is limited. Power button fixes thing in that case, Keep programs inside their sandbox (per~se). Strong passwords. Cant say it enough. From an SA view point, it's your first line defence. My rule of thumb, dont go belove 9 charaters, use Specials, and Upper+ Lower case+ Numbers also. It sounds hard right. IT's easy. Example... 'H2O=O18+o16=water'I use chemestry for some intersting passwords. H2O is water, but the O18 and O16 are diffrent Oxygen isotopes, but in the end, there result is water, there fore "H2O=O18+o16=water'.. Strong pasword. Go with it.. Common complaint is remebering it. SO call that computer/server/terminal 'Waterboy' It may help.
Am I nerding out?!?!
you could install and run ClamAV (softwarecenter) and check for malicious software on your computer. Should you have Wine installed: purge it via Synaptic (complete removal) , and do a reinstall if nessecary.
For the record: there is very few malicious software for Linux (don't mix it with a past with Windows !!), so the chance that your system is compromised is almost zip. A good advice is: chose a strong password for your root (you can easily change that if nessecary).
Don't get to paranoïd about Ubuntu and malicious software; stay within the lines of the softwarecenter/ don't install random PPA's / don't install .deb-packages that have no guarantees nor certified backgrounds ; doing so your system will remain clean without a hastle.
It is also advisable to remove each time you close your Firefox-browser (or Chromium) for having all cookies deleted and clean up your history; this is easily set in preferences.
Back when I ran public servers, I would install them in a non-networked environment and then install Tripwire on them (http://sourceforge.net/projects/tripwire/).
Tripwire basically checked all the files on the system and generated reports. You could exclude the ones that you say are allowed to change (like log files) or that you don't care about (mail files, browser cache locations, etc).
It was a lot of work going through the reports and setting it up, but it was nice to know that if a file changed, and you didn't install an update to change it, you knew there was something that needed to be investigated. I never actually needed all this, but I'm glad we ran it along with firewall software and regular port scans of the network.
For the last 10 years or so I've only had to maintain my personal machine, and with no one else having physical access or accounts on the box, and no public services (or much reason to target my machine specifically) I'm a little more lax so I haven't used Tripwire in years...but it may be something you're looking for to generate reports of file changes.
Best thing to do in your scenario is format weekly or shorter. Install a program like spideroak to sync your data securely. That way after reformat all you have to do is download spideroak and all your data comes back. It used to be easier with ubuntuone but that's gone now :(
btw: spideroak only guarantees zero knowledge if you never access your files on their site via a web session. you must use only their software client to access data and to change your password.
