|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: possible compromise or just misreading logs
From: Lewis Watson (lists
visionsix.com)
Date: Sun Dec 07 2003 - 11:25:38 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> So, my question is did I have a break-in? This machine is accessable
only
> as a web server through NAT and ipfw (if I configed my ipfw correctly).
I
> had just installed the Apache 1.3.29.
>
> Second, what are people using for intrusion detection? This is
something I
> have thought about but never really thought I needed until now.
Hi Craig,
Are you sure that you did not install any of the ports around this time?
Usually you would see this type activity when a program is installed. You
should probably do a ps aux and sockstat -4 to see what is running and
open.
There are two programs that I am familiar with to monitor changes..
chkrootkit and tripwire. Chkrootkit is trivial to install but tripwire is
a much more complete package.
I am sure there are others here that can provide much more insight to
this.
Thanks.
Lewis
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]