Once you've followed TrinityOS to a "T", you can be assured that your box is pretty stinken secure. BUT.. nothing is 100% secure and there will always be a chance that a hacker will find a way into your box.
With this in mind, please read what Brad Alexander had to say:
"As with system administrators and security specialists, there are
varying levels of skill among the system crackers. The notes included
in this document, and in fact, any notes about what to look for is
subjective, since the cracker will endeavor to cover his tracks. This
may include the use of a rootkit, which inserts trojaned binaries such
as "ls", "login", "ps" and so forth and hides sniffers on your system,
editing out parts of your logfiles, and the like. The attacker may
create directories such as "..." or ".. " to hide his warez. The attack,
like the individual cracker, will have different personalities. Your best
bet, aside from keeping the intruder out, is to run overlapping layers of
intrusion detection software, both host-level (such as Abacus Sentry) and
network level (such as SHADOW and Network Flight Recorder). If the cracker
attempts to disable one system, it will trigger another. The same should
be said for your file monitors, (e.g. Tripwire and ViperDB). However, there
is no substitute for a familiarity with your system and your filesystem."
Couldn't have said it better. So, with all that in mind, here is my best initial stab at figuring out if you've been hacked:
Here is a quick list that you can follow:
1) Check for any "ESTABLISHED" connections to your box by running "netstat -a | more". If there are connections to your box other than SMTP (port 25 for mail), DNS (port 53), and possibly WWW (port 80) that you don't know about, this should raise a flag. Especially look for SSH, TELNET, or FTP conenctions.
2) Using your favorite file viewer (vi, Pico, less, etc), look at your log files for strange things like:
You can also use the "pwck" and "grpck" commands to check these file too.
3) Run "last | more" command to see what users have recently logged into your machine.
4) Check the date of the /etc/shadow file to make sure it hasn't been recently changed
5) If you question the integrity of any of your executable files, verify that they are ok:
Redhat:
rpm -Va
or you can use the following script:
--
#!/bin/sh
for pkg in `rpm -qa`; do
echo "Verifying $pkg" >> /tmp/verify.log
rpm --verify $pkg >> /tmp/verify.log
done
--
If your box HAS been compromised:
1) Disconnect the machine's network connection, be it a modem, Ethernet connection, etc.
2) Try to determine what the hacker did to your box:
3) If you installed Tripwire, re-run it and see what files were changed.
If your machine was compromised and you are unable to determine what was hacked, you have to consider that ALL security on this box has been breeched. Because of this, you'll need to backup all changed user files (NO EXECUTABLE FILES WHAT SO EVER), wipe ALL HDs and either restore from a known good backup or re-install the OS from scratch! Ouch!
[Once I get more time, I will expand on this section]