|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Compromised Box -
From: J C Lawrence (claw
KANGA.NU)Date: Tue Oct 31 2000 - 22:26:43 CST
- Next message: J C Lawrence: "Re: Compromised Box -"
- Previous message: Daniel Harrison: "Re: Compromised Box -"
- Next in thread: Jan Muenther: "Re: Compromised Box -"
- Next in thread: J C Lawrence: "Re: Compromised Box -"
- Maybe reply: J C Lawrence: "Re: Compromised Box -"
- Reply: Jan Muenther: "Re: Compromised Box -"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 1 Nov 2000 11:46:29 +1000
Andrew Blogg <apbloggGPL.COM.AU> wrote:
> If you want to track and see if an attack happens again on this
> port, I would run something else on that port which simply closes
> the connection and states "Your attempt has been logged" and
> actually log the IP address date and time that a connection was
> made from.
More fun would be to:
a) run snort on a node on the same subnet to track IP traffic.
b) run IPPL and similar on the compromised node
c) run a libpcap based tool to log all traffic to and from the
compromised node
Do this until the node is visited again, and then rebuild the box
from scratch leaving all logging in place. You can then analyse the
the results of his vists and subequent reactions in considerable
detail.
This is often quite educational.
-- J C Lawrence Home: claw
- Next message: J C Lawrence: "Re: Compromised Box -"
- Previous message: Daniel Harrison: "Re: Compromised Box -"
- Next in thread: Jan Muenther: "Re: Compromised Box -"
- Next in thread: J C Lawrence: "Re: Compromised Box -"
- Maybe reply: J C Lawrence: "Re: Compromised Box -"
- Reply: Jan Muenther: "Re: Compromised Box -"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]