378 Chapter 16 ■ Evading IDSs, Firewalls, and Honeypots
Host System Intrusions
What is an indicator of an attack on a host? A wide range of activities could be construed
as an attack:
■ File system anomalies such as unknown files, altered file attributes, and/or alteration of files.
■ New files or folders that appear without explanation or whose purpose cannot be
ascertained. New files may be a sign of items such as a rootkit or an attack that could
be spread across a network.
■ Presence of rogue suid or sgid on a Linux system.
■ Unknown or unexplained modifications to files.
■ Unknown file extensions.
■ Cryptic filenames.
■ Double extensions such as filename.exe.exe.This is not an exhaustive list. As attackers evolve, so do the attacks that may be used
against a target.Network Intrusions
Indications of a potential network attack or intrusion include the following:
■ Increased and unexplained use of network bandwidth
■ Probes or services on systems on the network
■ Connection requests from unknown IPs outside the local network
■ Repeated login attempts from remote hosts
■ Unknown or unexplained messages in log filesNonspecific Signs of Intrusion
Other signs can appear that may indicate the presence of an intruder or potential intrusion
in progress:
■ Modifications to system software and configuration files
■ Missing logs or logs with incorrect permissions or ownership
■ System crashes or reboots
■ Gaps in the system accounting
■ Unfamiliar processes
■ Use of unknown logins
■ Logins during nonworking hours
■ Presence of new user accounts
■ Gaps in system audit files
■ Decrease in system performance
■ Unexplained system reboots or crashes