how to check for sniffers in Ubuntu?

Question

Somebody is accusing me that my linux ubuntu machine could be the source for a server attack.

Their technique was replacing the original ssh by this patched ssh and, as such eliminated all sshd logging and debugging information while allowing any user account to be logged into when provided a special password; also, in some cases, they made links between this spurious ssh2 and the original ssh. This explains why, on , I found the ssh host key changed. Additionally, they put some other stuff in /tmp/ , /var/tmp/ , /dev/.lib1/ and /dev/shm/, /dev/.lib1/ and /dev/shm/
, /dev/.lib1/ and /dev/shm/

Any ideas if this can be possible. I didn't have other reports and I am connecting through ssh at at least a dozen other servers. how to check for sniffers in Ubuntu? how can I check if my ssh is still valid?

Answer 1

Is it something like rkhunter (http://www.rootkit.nl/) you are looking for? It is available as deb package (aptitude install rkhunter)

Answer 2

As pehrs said, propably you are not interested in detecting a sniffer. (Even if someone is sniffing your network, it won't make sense because your stream is encrypted. He should do offline analysis, which will take time / weeks / months / years depending on your password).

But, in case that you ask how you could detect if something is changed, have a look at ossec. It's a really ggoooood tools for detecting intrusions. It can be used for many many things.

P.S in case that you are really interested in detecting the sniffer, have a look at Find Sniffer on LAN

cheers

Answer 3

Any ideas if this can be possible.

Yes, that is possible. :)

I didn't have other reports and I am connecting through ssh at at least a dozen other servers.

With a hacked ssh? Yikes!

how to check for sniffers in Ubuntu?

Do you mean looking for rootkits, replaced files, or network scanning software?

If your ssh process is hacked, there is only one solution for this: SHUTDOWN THE MACHINE NOW! Just pull the plug, to avoid shutdown scripts to run. and relax again :)

You can't really try to fix a hacked system, because you can't tell which other parts of the machine are infected, and allow the hack to continue. The only sane way is doing a fresh installation, and copying your documents from the old disk.

The old disk can be used for inspection (from a different system), and comparing the binary files with the files your package manager installed.

Answer 4

The safest option is to back up your configs, format the system, then do a fresh install and make sure it's fully updated as soon as possible, preferably offline.

However, it sounds like this was just an accusation from someone on the Internet. What evidence do they have? Is there anything suspicious that you see happening on your machine?

Regardless, one thing you might try is passing your network connection through another system and monitoring the traffic going to and from it. Something like ntop or etherape can help.

Answer 5

Are you trying to verify your sshd ?

If yes then you could propably do two things 1) Check the official checksum and yours (someone said it before) 2) use the lsof to check what files the sshd has open. One common thing is to modify sshd, keep somewhere the passwords and aftewards using a backdoor withdraw the file.

Generally, what i suggest is to temporary replace the sshd with another version, but keep the "hacked" version for further testing ( If it's hacked and you haven't change anything to your system, then you are still vulnerable, so be examining the sshd may help you)

But, just in case, have a look for possible backdoors. Have you kept any logs from the "attack" ?

Answer 6

You want to build a CD with a root file system, assorted rootkit-finding tools and (if you have it) a tripwire database from your system, from a point in time when you know it was not hacked.

Though, to some extent, checksums from a ssh binary installed from the same repository should be decent enough, I guess.