Hello, Im working on a security tool that would help system admins to identify the break in scenario of a linux system, first I would just need suggestions from experienced system admins regarding the idea of the project: I understand that in many cases its hard to gather information of the break in scenario (the log files are usually deleted durring the backgrounding, backdooring and rootshell binding), also its hard to find out what was exactly done by the attacker, and since the ext3 FS has no undelete/unrm utility (the closes thing would be the TCT's unrm, however that requires advanced system admin knowledge) in many cases its even hard to get a full copy of the rootkit installer (usualy its deleted after backdooring), my application would MD5 and SHA1 all the files located in the /bin, /sbin, /usr/bin, /usr/sbin, /etc, /etc/init.d and upload the MD5 and SHA1 results file to a remote server where the owner of the system could check them, also if a files MAC data (except atime) was modified in this directories it would report it to the admin and it would keep track of the modified files MD5 and SHA1 (the remote server would compare the new hashes to a hash database which contains hashes of known "rootkit" files to identify the RK that was used to backdoor the system), also the critical system log files (/var/run/utmp, /var/log/wtmp, /var/log/lastlog, /var/log/messages, /var/log/secure, /var/log/xferlog, /var/log/maillog, /var/log/warn, /var/log/mail, /var/log/netconf.log, /var/log/spooler, /var/log/cron) would be backed-up to the remote server in every minute (it would be an incremental backup, if a differential appears new incrementation starts to keep perfect log of log file erases). Also the unhide would be runned from cron in every min to see if thear is a huden proc runned or not. What I would need later on as help, some 4-5 individuals with a small linux system that would be installed as a LAMP server with no updates applied at all, after once its breaked in it would be reinstalled to test the script again (honeypot). The script would be written in shell script, php and mysql
You need to be careful, because the hacked system can be used as a proxy for attacks to other systems, eventually making you susceptible to legal prosecution.