Barry Irwin
SensePost
DShield has a nice webpage where you can check whether an IP address appears in the DShield database as an attacker, a good sign that your machine has been compromised. There have been some extensions of this service, such as Johannes Ullrich's "amIhacked?".
I decided this was quite a nice service, so I hacked up a perl script which will do the check for me. I then made a quick cron script which would only mail me if my machine ever appears as an attacker, thus my daily runs aren't cluttered. This is not a foolproof method. It is possible for a machine to get cracked and not appear in the DShield database, but if it is there then there is a fairly good chance something is wrong.
$ hackcheck.pl
146.231.115.12 is Safe
$ hackcheck.pl 0.0.0.0
0.0.0.0 is Hacked : It appears 157,699 times.
The cron script is very simple. Just drop it into /etc/cron.daily or the like.
#!/bin/sh
test -f /usr/bin/hackcheck.pl || exit 0
MAILTO=root
#Put the IP address of the machine you want checked here
IP=0.0.0.0
[ -z "$MAILTO" ] && exit 1
hackcheck.pl $IP > /dev/null
if [ "$?" -eq "1" ]; then
hackcheck.pl $IP| \
mail -e -s "DShield Hack Warning \
on $(hostname -f) [$(date +%D)]" $MAILTO
fi
DShield relies on the submissions of people from around the world. Find out how you can contribute by submitting your logs here.
Schneier on Security: Friday Squid Blogging: Preserving Giant Squid
0 Trackbacks