November 27, 2001, 12:00 AM — Many malicious attacks are detected too late, if at all. A seasoned
hacker won't necessarily leave a "Hacked!" note on your company's home
page and they often tamper with the system's log files to hide the
traces of their break-in.. Financial and military organizations are
particularly prone to these types of break-ins where hackers install an
eavesdropping agent (e.g., a packet sniffer or a Trojan horse) or a
virus on the target host. What can you do to avoid this from happening?
First, remember that prevention is the best defense. Make sure that
your system doesn't have any weak links that hackers can exploit:
usernames without passwords, short or easy-to-guess passwords, or
poorly configured authorizations. Still, these measures are useless
once a hacker has already broken into the system and installed
malicious code. What can you do now?
Object reconciliation is a reliable technique for detecting malicious
code on your system. Object reconciliation is a process in which system
objects such as files, directories, and devices are compared against
themselves on an earlier date. A system administrator stores snapshot
information of the system and uses that information to compare the
system's state at a later stage. Although backups can be used for this
purpose, comparing complete files takes a long time. A better technique
is to store only the checksum values of the system's files.
For example, suppose you have a file called "defragment" that contains
a disk defragmentation program. After installing the system, you
collected the checksum values of all existing files,
including "defragment", and stored these values in a special database.
Later, a hacker brakes into the system and tampers with this file.
Consequently, an object reconciliation process will detect that the
tampered file's checksum is different from its original checksum.
Clearly, something is wrong here. You can delete the file and restore
the original one from a safe backup.
Object reconciliation must be performed regularly. Furthermore, storing
the checksum database on read-only media is advisable. The best time to
create the checksum database is right after the system has been
Currently, several object reconciliation tools are available for Linux.
Most of them use the MD5 algorithm to compute a file's checksum as a
128-bit "fingerprint". One such tool is AIDE (Advanced Intrusion
Detection Environment), which is a GPL replacement for Tripwire(TM).
You can find more information about AIDE and download it from