IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Linux Forum / Chasing ghosts?
Post #111,587
by rickmoen
Picture of rickmoen
7/26/03 5:28:52 PM
Reply
New Chasing ghosts?
Glen wrote:

Now I'm changing all the passwords in the system. Then, I'll start looking at all the listening processes on the system. They can attack something that isn't listening.

Umm..., is the only reason you think you've suffered security compromise the fact that suddenly what you thought was your root password didn't work, and you weren't entirely sure whether you'd changed it? No other signs of break-in whatsoever? That sounds more than a little thin.

However, if you haven't looked at all the listening processes on the system, it's indeed about time. I'm curious about how you're doing that without trusting any of the tools on the suspect system.

(Yes, I am being mildly ironic. How to examine a running system for signs of compromise is a difficult problem.)

Rick Moen
rick@linuxmafia.com

If you lived here, you'd be $HOME already.
Post #111,644
by gdaustin
7/27/03 6:48:39 PM
Reply
New Now I'm thinking I changed it...
The passwd file was dated 7/12, and that's the date I installed apache2 and php. I set up a tester web server with PHP installed on that very date.

I've been getting the latest apt-get about once every two weeks. Maybe I need to be a little more vigilant about that.

I'll take a look at snort, and I'll get the rest of the list from my "hacker" co-worker. I'd like for this system to be pretty "hard", if it can be.

Glen Ausitn
     Help! - (gdaustin) - (15) - July 26, 2003, 08:32:03 AM EDT
         Use the install CD - (pwhysall) - (9) - July 26, 2003, 09:10:17 AM EDT
             Not quite that easy, but I think I have it fixed.... - (gdaustin) - (7) - July 26, 2003, 10:45:44 AM EDT
                 Fixed... - (gdaustin) - (6) - July 26, 2003, 12:23:14 PM EDT
                     Shouldn't you be fixing this at the firewall? - (pwhysall) - (2) - July 26, 2003, 01:17:48 PM EDT
                         This box IS my firewall... - (gdaustin) - (1) - July 27, 2003, 06:36:08 PM EDT
                             Re: This box IS my firewall... - (pwhysall) - July 27, 2003, 06:33:44 PM EDT
                     If you haven't already - (orion) - July 26, 2003, 02:02:12 PM EDT
                     Chasing ghosts? - (rickmoen) - (1) - July 26, 2003, 05:28:52 PM EDT
                         Now I'm thinking I changed it... - (gdaustin) - July 27, 2003, 06:48:39 PM EDT
             Re: Use the install CD - (gdaustin) - July 26, 2003, 10:47:43 AM EDT
         Root password, rooted box - (kmself) - (4) - July 26, 2003, 09:33:24 PM EDT
             Re: Root password, rooted box - (rickmoen) - (2) - July 27, 2003, 05:25:39 AM EDT
                 Forensics - (kmself) - (1) - July 27, 2003, 03:22:47 PM EDT
                     Re: Forensics - (rickmoen) - July 28, 2003, 04:34:01 AM EDT
             Exactly what I did... - (gdaustin) - July 27, 2003, 07:07:26 PM EDT

Did you recently read an article?
42 ms