Server integrity check

Verificación de la integridad de los servidores

Integrity check

When a server has been compromised, the hacker usually covers his/her tracks by deleting all records of his/her activity from the logs. Additionally, he/she installs some tools to enable him/her to create a backdoor, in order to facilitate a return visit later on.

Ever clever, the hacker usually fixes the vulnerability which had allowed him/her to gain entry, so that other hackers can't infiltrate it in turn.

However, the hacker's presence can be revealed by certain administrative commands which display a list of processes underway, or of users connected to the machine. For this reason, tools called rootkits have been developed to overwrite these system tools and replace them with equivalent functions which hide the hacker's presence.

It is easy to see why, in the absence of obvious damage, an administrator may find it difficult to tell if a computer has been compromised. One of the first things to do once an intrusion has been detected is to establish when it occurred, in order to determine which other servers may have been affected, and how.

In general, servers use files to store logs of their activity, and in particular any errors encountered.

Therefore, after a computer attack, it is rare for the hacker to successfully compromise a system on the first try. He/she usually works by trial and error, testing out various requests.

This is why log monitoring can be used to detect suspicious activity. It is particularly important to monitor the logs of security-related software; as well-configured as they may be, they can still be the target of an attack.

Checking for the presence of rootkits

There are some programs (chkrootkit, for example) which are used to check if there are rootkits on a system. However, in order to be able to use such tools, you must be certain of the integrity of the tool and the results it displays onscreen. Therefore, a compromised system cannot be considered reliable.

Analysing integrity

In order to ensure system integrity, it is therefore necessary to detect intrusions at a higher level. This is the goal of integrity checkers like Tripwire.

The software Tripwire, originally developed by Eugene Spafford and Gene Kim in 1992, is used to ensure system integrity by constantly monitoring changes to certain files and folders. Tripwire carries out integrity checks and maintains an up-to-date signature database. At regular intervals, it inspects the following file characteristics in order to tell if they have been modified and/or compromised:

permissions;
date last modified;
access date;
file size;
file signature.

Alerts are sent by email, preferable to a remote server, so as to keep the hacker from erasing them.

Limits to integrity checking

For the results of an integrity checker to be reliable, you must be certain of the machine's integrity at the time it is installed. It is also very difficult to configure this kind of software, as the number of files that may need to be monitored can be very large. What's more, whenever new applications are installed, their files must be configured to be checked.

Additionally, this kind of solution tends to send many false alarms, especially when the system is only modifying configuration files or updating itself.

Finally, if the machine is actually compromised, the hacker might attempt to compromise the integrity checker before the next update, which is why it is important to store alerts on a remote machine or a non-rewritable external medium.

Resources

Article written 22 May 2006 by Jean-Fran�ois Pillou.

Last update on Thursday October 16, 2008 02:43:19 PM.This document entitled « Server integrity check » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.

Previous Logs

Checking server integrity Checking server integrity When a server has been compromised, the hacker usually covers his/her tracks by deleting all records of his/her activity from the logs. Additionally, he/she installs some tools to enable him/her to create a backdoor,... en.kioskea.net/contents/detection/verificarion-integrite-serveurs.php3

Installing a SAMBA server (Linux) Installing a SAMBA server Prerequisite Introduction The Samba Architecture Installation of required packages for samba server Starting Samba The commands Smb.conf file configuration ‘’global’’ Section ‘’documents’’... en.kioskea.net/faq/sujet-2150-installing-a-samba-server-linux

Spell check free Spell check free Spellchecker integrated word processing The spell checkers in various media are either incorporated into a word processor (Word, Open Office), is available on the Internet. Note that the online editors are generally less... en.kioskea.net/faq/sujet-1867-spell-check-free

Results for Server integrity check

RCP Server not availableRCP Server not available RCP stands for Remote Procedure Call and if the computer displays “Operation could not be completed. The RPC server is unavailable” while trying to access the printers installed on the computer or trying to... en.kioskea.net/faq/sujet-356-rcp-server-not-available

World of Warcraft private serversWorld of Warcraft private servers Official Text Print: http://www.wow-europe.com/en/legal/eula.html 5. End user agreements B. You agree that under no circumstances, host, provide or develop matchmaking services for the Game or... en.kioskea.net/faq/sujet-2112-world-of-warcraft-private-servers

Server Response: Error 554 -Relay Access deniedServer Response: Error 554 -Relay Access denied Below error message appears on your screen before your connection: Error 554 - Access Denied Relay This may be due to the use of outgoing server (SMTP) on field outside provider.... en.kioskea.net/faq/sujet-952-server-response-error-554-relay-access-denied

Results for Server integrity check

Server Not FoundHello, have just started getting a problem. A lot, but not all sites are inaccessible. If i try to access www.microsoft.com, for example, i get Server not found Firefox can't find the server at www.microsoft.com. * Check the address for typing errors... en.kioskea.net/forum/affich-103890-server-not-found

Server not found www.microsoft.comHello, Trying to access www.microsoft.com www.pctools.com www.webuser.co.uk windowshelp.microsoft.com and others all are inaccessible. i am getting Server not found Firefox can't find the server at www.microsoft.com. * Check the address for typing... en.kioskea.net/forum/affich-103632-server-not-found-www-microsoft-com

CS invald cd key when I w to conn to server (Solved)Hello,guys I have a x64 windows pro and 4 gigs of ram. When I wanted to start my CS 1.6 I got message fatal error less than 15 mb available. I suceed to fix this thanks to one guy on this forum but now when I want to connect to the server I got a... en.kioskea.net/forum/affich-19197-cs-invald-cd-key-when-i-w-to-conn-to-server

Results for Server integrity check

Download WAMP ServerWAMP5 (WAMP means Windows Apache Mysql PHP) is a platform of Web development under Windows. It allows you to develop dynamic Web sites with Apache server, PHP5 script language, and the database of MySQL release 5. It also possesses PHPMyAdmin and... en.kioskea.net/telecharger/telecharger-1318-wamp-server

Download FileZilla ServerFileZilla Server is an FTP server supports FTP and FTP over SSL/TLS. en.kioskea.net/telecharger/telecharger-116-filezilla-server

Download TFTP serverIt is the only free DHCP server under Windows and is useful to configure automatically the IP address of your local area network. Moreover, it is a TFTP client, TFTP, SNTP and SYSLOG client. Its size is only 192 Kb. en.kioskea.net/telecharger/telecharger-1962-tftp-server

Results for Server integrity check

Microsoft OEM Licence Microsoft OEM Windows Server 2003 Enterprise Edition Inc. Service Pack 2 25 CLInc ., Designed for mission-critical server workloads, Windows Server 2003, Enterprise Edition, is the recommended operating system for servers that run applications such as networking, messaging, inventory, and customer service systems; databases;... en.kioskea.net/guide/641746359-microsoft-oem-licence-microsoft-oem-windows-server-2003-enterprise-edition-inc-service-pack-2-25-clt-r2-1-pack

Microsoft OEM Licence Microsoft OEM Windows Server 2003 Enterprise Edition Inc. Service Pack 1 25 CLInc ., Platforms: Windows 2003 Server Windows NT Windows 2000 Windows XP en.kioskea.net/guide/651647546-microsoft-oem-licence-microsoft-oem-windows-server-2003-enterprise-edition-inc-service-pack-1-25-clt

Adobe Flash Media Streaming Server - ( v. 3.5 ) - complete package - 1 user - CD - Linux, Win - Intev ., Adobe Flash Media Streaming Server 3.5 software is a more secure and affordable steps up from using progressive download to deliver video. It offers a superior video experience, with features such as Dynamic streaming, HTTP delivery support, and... en.kioskea.net/guide/641303489-adobe-flash-media-streaming-server-v-3-5-complete-package-1-user-cd-linux-win-international-english

Results for Server integrity check

Networking - 3-Tier Client/Server ArchitectureIntroduction to 2-Tier Architecture 2-tier architecture is used to describe client/server systems where the client requests resources and the server responds directly to the request, using its own resources. This means that the server does not... en.kioskea.net/contents/cs/cs3tier.php3

Proxy and reverse proxy serversProxy servers A proxy server is a machine which acts as an intermediary between the computers of a local area network (sometimes using protocols other than TCP/IP) and the Internet Most of the time the proxy server is used for the web, and when it... en.kioskea.net/contents/lan/proxy.php3

Client/Server EnvironmentIntroduction to Client/Server Architecture Numerous applications run in a client/server environment, this means that client computers (computers forming part of the network) contact a server, generally a very powerful computer in terms of... en.kioskea.net/contents/cs/csintro.php3

Results for Server integrity check