| FRONTPAGE | DOWNLOADS | ABOUT ME | TERMS & CONDITIONS |

SA Security Bloggers

link SensePost
link Haroon Meer
link Matt Erasmus
link Andrew Mohawk
link Junaid Loonat
link Barry Irwin
link Tom Wells
link Allen Baranov
link Jock Forrester
link IT Security Pubcast
link Telspace
link ISGAfrica
link Ralfe Poisson

Popular Entries

Articles
link Vulnerability Life Cycle - threat modelling
link Web Hacking 2.0
link Why Exploit Markets are Bad
link Ettercap-NG Workings and Defence
link The Zotob Summary

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Creative Commons License - Some Rights Reserved
Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.
Random Entry: Password Strength Checker & Generator
< Charity and the Poor | Ubuntu Shirt: Week One >

Sunday, August 7. 2005

Am I Hacked?

Security

DShield has a nice webpage where you can check whether an IP address appears in the DShield database as an attacker, a good sign that your machine has been compromised. There have been some extensions of this service, such as Johannes Ullrich's "amIhacked?".

I decided this was quite a nice service, so I hacked up a perl script which will do the check for me. I then made a quick cron script which would only mail me if my machine ever appears as an attacker, thus my daily runs aren't cluttered. This is not a foolproof method. It is possible for a machine to get cracked and not appear in the DShield database, but if it is there then there is a fairly good chance something is wrong.

The script is simple, no arguments and it checks your machines IP, or pass an IP to see if it is in the database. It is available for download here. Example output: 
$ hackcheck.pl
146.231.115.12 is Safe
$ hackcheck.pl 0.0.0.0
0.0.0.0 is Hacked : It appears 157,699 times.

The cron script is very simple. Just drop it into /etc/cron.daily or the like. 

#!/bin/sh
test -f /usr/bin/hackcheck.pl || exit 0

MAILTO=root

#Put the IP address of the machine you want checked here
IP=0.0.0.0

[ -z "$MAILTO" ] && exit 1

hackcheck.pl $IP > /dev/null
if [ "$?" -eq "1" ]; then
        hackcheck.pl $IP| \
        mail -e -s "DShield Hack Warning \
        on $(hostname -f) [$(date +%D)]" $MAILTO
fi

DShield relies on the submissions of people from around the world. Find out how you can contribute by submitting your logs here.

Posted by Dominic White in Security at 04:16 | Comments (0) | Trackbacks (0)
Last modified on 2005-08-07 07:24

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

Quicksearch

Security Blogs

* ha.ckers.org web application security lab: Browser Differences, Minutia Et Al…

* terminal23: writing compensating controls

* deep inside | security & tools: WASC Threat Classification 2 - Wordle

* Schneier on Security: UAE Man-in-the-Middle Attack Against SSL

* terminal23: incomplete thoughts: dreamy aspects of a solid security posture

* terminal23: incomplete thoughts: 5 of my security pet peeves

* terminal23: incomplete: a better representation of risk and compliance

* terminal23: incomplete: shmoocon podcaster's meetup interesting topics

* terminal23: incomplete: fundamental cultural changes caused by the internet

* terminal23: incomplete: leveling up your security career wow-style

* terminal23: incomplete thoughts: really changing the game?

* Schneier on Security: Successful Attack Against a Quantum Cryptography System

* terminal23: thoughts on the 2010 verizon dbir

* Security Vulnerability Research & Defense: The Enhanced Mitigation Experience Toolkit 2.0 is Now Available

* terminal23: housekeeping - decompression

* terminal23: kidney punches from the windows dll hijacking vuln

* Justice League: Remediation – The Game

* Schneier on Security: Cyber-Offence is the New Cyber-Defense

* ha.ckers.org web application security lab: Throttling Traffic Using CSS + Chunked Encoding

* ha.ckers.org web application security lab: Pyloris and Metering Traffic

(c) Dominic White 2010