How to tell if your Linux box has been cracked
Over the last two weeks, I've discussed how to prevent crackers from gaining access to your Linux computer (see 10 minutes to an iptables-based Linux firewall and How to stop crackers with PortSentry). This week, we continue the series with ways you can tell if someone has cracked your machine.
Script kiddie are the worse kinds of crackers, primarily because there are so many of them and most of them are unskilled. It is one thing to be cracked when you have put in all the correct patches, have a tested firewall, and run advanced intrusion detection actively on multiple levels. It is another when you are cracked because you were lazy and didn't, for example, install the latest patch to BIND.
It's embarrassing to be cracked because you weren't paying attention. It's aggrevating to realize that some script kiddie downloaded one of many well known "root kits" or publicly available exploits, and is having a party with your CPU, storage, data, and bandwidth. How do these villians get started? With "warez," which often consists of a root kit.