Some warning signs of system intrusion:
Unusual login behaviors: perhaps no one can log in, or there is difficulty getting root access; any strangeness with adding or changing passwords.
System utilities are slower, awkward, or show unexpected results. Some common utilities that might be modified are: ls, find, who, w, last, netstat, login, ps, and top.
File or directories named ...
or ..
or hacker-looking names like r00t-something.
Unexplained bandwidth usage or connections.
Logs that are missing completely, or missing large sections; a sudden change in syslog behavior.
Mysterious open ports or processes (/proc/*/stat | awk ’{print $1, $2}’).
Files that cannot be deleted or moved. The first thing that an intruder typically does is install a rootkit,
a script or set of scripts that makes modifying the system easy so that the intruder is in control and well-hidden. You can visit http://www.chkrootkit.org and download their rootkit checker.
Log messages indicating an interface entering promiscuous
mode, signaling the presence of a sniffer.
A compromised system will undoubtedly have altered system binaries, and the output of system utilities cannot be trusted. You cannot rely on anything within the system for the truth. Re-installing individual packages might or might not help, since the system libraries or kernel modules could be compromised. There is no way to know with certainty exactly what components have been altered.
