[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] 'proftpd-inetd appears to be from newer ver sion' message (x-posted)
- Subject: RE: [cobalt-security] 'proftpd-inetd appears to be from newer ver sion' message (x-posted)
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Sat, 14 Oct 2000 22:12:03 +0100 (BST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Sat, 14 Oct 2000, Brandon Wheaton wrote:
<snip>
>
> If someone is altering your logs you have more important
> issues to address, like how they gained the access to be
> able to alter your logs, not to mention finding out what
> else have they altered. If you have suspicions about
> unauthorized accesses, first check your /etc/passwd file
> for entries you don't recognize. Then do a "last -d -a"
> to see who has logged into your server and from where.
> Also ensure that you do NOT allow remote root logins.
> This way, you have a log of anyone issuing the "su -"
> command to become root.
Thats fine, except I suspect most crackers will simply copy /bin/sh
elsewhere on the system and suid-root it, thus meaning no logs, and no big
fat su's sat in the process list. Or suid time (time /bin/sh to get root
then), etc etc.
And wtmp logs can be altered, so last is useless.
Probably the best thing you can do, IMHO, if you suspect you have been
rooted, is to install a sniffer on a connected box and monitor the network
traffic - where are people telnetting in from, what are they doing, is
there any IRC traffic etc. Mainly because nothing on the rooted system
can be trusted, and monitoring network traffic usually reveals things like
eggdrops installed on the machine, which leads to full irc logs of the
people concerned etc.
And I've started to rant a bit :)
Regards.