Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: How to Track a hacker
From: Faber Fedor (faberfedorYAHOO.COM)
Date: Mon Nov 06 2000 - 23:42:34 CST

--- Mike Redan <mredanCHAT.CARLETON.CA> wrote:
> Would you actually trust the output of w on a machine that is suspected
> to be compromised?
> After a machine has been cracked you have to assume that you can't trust
> any of the tools that are on that machine...you really can't even trust
> your kernel -- there are plently of exploits that load up as kernel
> modules -- which means you really can't even trust anything you put onto
> that box.

I have a question about this attitude. While I agree with it in theory, why
doesn't the crackee simply find the files that have been changed? If you know
when you were cracked, let's say a day (read: 24 hours) ago, then do a

        find / -ctime 1 -exec ls -al "{}" > cracked.out \;

and then go through the cracked.out file looking for anything strange (like the
fact that /bin/login has a mod time of 12 hours ago and a /bin/.login also
exists). Granted, this takes some work, but you learn alot too. :-)


Faber Fedor
LinuxNJ.com - Linux and Open Source solutions for New Jersey


Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one Place.