OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jess Garcia (jessjessland.net)
Date: Mon Apr 08 2002 - 10:01:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

            Hi, Kulla.

            Regarding key logging, there are two approaches:

            + Application level command/tty snooping
            + Loadable Kernel Module

            The first method is probably the easiest one:

            - Download ttysnoop from http://online.securityfocus.com/tools/940
            - Remember to uncomment shadow lines if you are using shadow.
            - Compile it. You will probably want to change the name of the
    binary to something different to avoid been so obvious, and change the
    ubication of config and log files.
            - Go to /etc/xinetd.d/telnet and include a server args=-L
    /bin/ttysnoop (or whatever)
              (You may want to recompile telnet to include it by default)

            - If you want it to work with ssh, recompile sshd to use it as its
    login program and enable UseLogin in sshd_config.

            Drawbacks of this method: if you are using an unpatched version of
    sshd, the hackers will probably patch it after they hack the machine
    (remember, if you don't patch your machine, someone will ;).
    Another possibility is that they use an alternative sshd server (e.g. one
    included in a rootkit).

            Another method is using the modified bash that logs to syslog
    by the Honeynet Project:
    http://project.honeynet.org/papers/honeynet/bash.patch

            You may want to disable (in /etc/shells) all other shells and/or
    physically deinstall them from your system.

            And of course, set remote logging.

            Drawback: It doesn't log tty output, just commands

            All these methods are not foolproof, but they work together
    quite well in most situations.

            JESS

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
    For additional commands, e-mail: honeypots-helpsecurityfocus.com
    ---------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA) Service. For more information on SecurityFocus' SIA service
    which automatically alerts you to the latest security vulnerabilities.
    Please, see: https://alerts.securityfocus.com/