5. 查看是否有网络sniffer 的标记
　　当系统入侵发生时,入侵者可以在UNIX系统上暗地里安装一个网络监视程序,通常称为sniffer(or packet sniffer),用于捕获用户账号和密码信息.对于NT系统,为达到相同目的,通常更多地使用远程管理程序.检查sniffer是否被安装到系统中的第一步是看看是否有进程把任何网络设备置成混杂(promiscuous)模式.如果任一网络设备处于混杂模式,那系统中就有sniffer程序.如果在发现入侵的时候就重启机器或在单用户模式下操作,就不可能探测到处于混杂模式的网卡.
　　为此有一些工具可以使用.
　　cpm - UNIX
　　ftp://coast.cs.purdue.edu/pub/tools/unix/cpm/
　　ifstatus - UNIX
　　ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus/
　　(ifconfig -i命令也可以报告网卡状态)
　　注意某些合法的网络监视和协议分析器会将网卡置成混杂模式.探测到某块网卡处于混杂模式并不就一定意味着系统中有入侵者的sniffer在运行.sniffer的记录文件大小通常会很快增长,使用诸如df之类的工具可以确定文件系统的哪部分增长超过预期.记住df,ifconfig,netstat这些命令通常在黑客安装sniffer程序的时候都被木马替换掉了,要使用干净的工具来检查网卡状态.如果在系统中发现了sniffer,强烈建议检查sniffer的输出文件,以确定还有哪些主机处于危险境地.处于危险境地的主机是指那些出现在被捕获数据包目的域中的主机.但是如果口令跨系统使用或者源目的主机相互信任,则源主机也处于危险境地.许多常用的sniffer会象下面这样记录每个连接:
　　-- TCP/IP LOG -- TM: Tue Nov 15 15:12:29 --
　　PATH: not_at_risk.domain.com(1567) => at_risk.domain.com(telnet)

　　由于sniffer以这种特定的格式记录,可以执行如下命令来取得受影响主机的列表.
　　% grep PATH: $sniffer_log_file | awk '{print $4}' | \
　　awk -F\( '{print $1}'| sort -u

　　可以根据实际情况修改这条命令.也有一些sniffer程序使用加密输出,就不容易得到有用信息.

　　应该注意,并不是没有出现在sniffer日志中的主机就安全,因为入侵者可能已经取走sniffer记录并删除过老记录.或者使用了其他攻击手段威胁别的主机.

　　6. 检查网络中的其他系统
　　建议检查所有的系统,不仅仅是已知被入侵的系统.在要检查的系统中应该包括与被入侵系统有网络服务(NFS或NIS)联系的系统,或者通过某种信任方式(hosts.equiv或.rhosts,或者Kerberos服务器)联系的系统.在检查网络中其他系统的时候,建议使用入侵监测检查表:
http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/win_intruder_detection_checklist.html

　　7.检查与遭受入侵系统有关或受到影响的远程主机
　　在检查日志文件,入侵者输出文件和任何在入侵发生期间或之后更改或创建的文件时,应该注意与被入侵系统可能有连接的远程主机的任何信息.在很多入侵事件中,与被入侵主机有连接的主机(不论是上游或下游主机)本身就是入侵的牺牲品.这对于及时鉴别和通知另外的潜在受害站点来说是非常重要的.

　　D:Contact the relevant CSIRT and other sites involved
　　Incident Reporting
Intruders will frequently use compromised accounts or hosts to launch attacks against other sites. If you find evidence of compromise or intruder activity at any other sites, we encourage you to contact those sites. Tell them what you havefound, explain that this may be a sign of compromise or intruder activity at their site, and suggest that they may wish to take steps to determine if/how the compromise occurred and prevent a recurrence. When contacting other sites, please give them as much detail as possible including date/timestamps, timezone, and what to do if they have follow-up information.
We would appreciate a "cc" to cert@cert.org or auscert@auscert.org.au as appropriate on any correspondence. If you like, you can let the site know that you are working with us on this incident (please include the assigned CERT or AusCERT tracking number in the subject line of your messages). Also let them know that we can offer assistance on how to recover from the compromise.Contact AusCERT - Australian Computer Emergency Response Team
We would appreciate it to be informed of any incidents involving Australian and New Zealand sites as it helps us to gauge the extent and nature of intruder activity.
Our contact information is as follows:Internet: auscert@auscert.org.au monitored during business hours (GMT+10:00)
Telephone: +61 7 3365 4417 monitored during business hours (GMT+10:00)
Hotline: +61 7 3365 4417 monitored 24 hours, 7 days for emergencies (GMT+10:00)
Facsimile: +61 7 3365 7031
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
Contact the CERT Coordination Center
We would appreciate it if you would complete and return an Incident Reporting Form as this will help us better assist you, and allow us to relate ongoing intruder activities. This also provides us a better overview of trends in attack profiles and provides input for other CERT documents such as Advisories and Summaries. We prefer that Incident Reporting Forms are sent to us via email. The Incident Reporting Forms are available from:
http://www.cert.org/reporting/incident_form.txt
Our contact information is as follows:Email: cert@cert.org (monitored during business hours)
Telephone: +1-412-268-7090 24-hour hotline
Fax: +1-412-268-6989
CERT Coordination Center personnel answer business days (Monday-Friday) 08:30-17:00 EST/EDT (GMT-5)/(GMT-4), on call for emergencies during other hours.
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA USA 15213-3890Obtain contact information for other sites involved
If you need contact information for a .COM, .EDU, .NET, or .ORG top-level domain, we encourage you to use the InterNIC's whois database.
http://rs.internic.net/tools/whois.html
To find contact information from the appropriate registrar, we encourage you to use the InterNIC's Registrar Directory:
http://rs.internic.net/origin.html
To find contact information for the Asia-pacific region and Australia respectively:
http://www.apnic.net/apnic-bin/whois.pl
http://www.aunic.net/cgi-bin/whois.aunic
To find contact information for other incident response teams, you may also want to check the contact list of the Forum of Incident Response and Security Teams (FIRST), available in:
http://www.first.org/team-info/
More information about finding site contacts is available from:
http://www.cert.org/tech_tips/finding_site_contacts.html
We do not recommend sending email to "root" or "postmaster" of a machine that is suspected of being involved in intruder activity. If that machine is the source of an intruder attack, it is possible that that machine itself may be compromised and the intruder may have root access and/or be reading or intercepting email sent to that host.
If you are still unsure of a site or contact details, please get in touch with us.