NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-Linux> 2000-q4

Subject: Re: How to Track a hacker
From: James Stevenson (mistralSTEV.ORG)
Date: Tue Nov 07 2000 - 17:54:00 CST

Next message: Ryan Yagatich: "Re: How to Track a hacker"
Previous message: Xavier HUMBERT: "Re: Problem with virus scanning emails"
In reply to: Faber Fedor: "Re: How to Track a hacker"
Next in thread: Ryan Yagatich: "Re: How to Track a hacker"
Next in thread: J C Lawrence: "Re: Limited Shells"
Reply: James Stevenson: "Re: How to Track a hacker"
Reply: Ryan Yagatich: "Re: How to Track a hacker"
Reply: Brad Spengler: "Re: How to Track a hacker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

erm that simply does not work
tar will set the time values on files access/created/modified
touch will do the same

the best way is to

a) fire logs onto another computer (so they need to break into that to)
b) use md5checksums with a readonly access to a database on another computer
and run a check on them every few days or so

so if they break in they then need to break into 3 computers to cover there
trails or to found out

but of course you dont running anything on the logging computer except for the logger :)
or dont let anyother data goto the logger

In local.securityfocus-linux-list, you wrote:
>--- Mike Redan <mredanCHAT.CARLETON.CA> wrote:
>> Would you actually trust the output of w on a machine that is suspected
>> to be compromised?
>> After a machine has been cracked you have to assume that you can't trust
>> any of the tools that are on that machine...you really can't even trust
>> your kernel -- there are plently of exploits that load up as kernel
>> modules -- which means you really can't even trust anything you put onto
>> that box.
>
>I have a question about this attitude. While I agree with it in theory, why
>doesn't the crackee simply find the files that have been changed? If you know
>when you were cracked, let's say a day (read: 24 hours) ago, then do a
>
> find / -ctime 1 -exec ls -al "{}" > cracked.out \;
>
>and then go through the cracked.out file looking for anything strange (like the
>fact that /bin/login has a mod time of 12 hours ago and a /bin/.login also
>exists). Granted, this takes some work, but you learn alot too. :-)
>
>
>
>
>
>
>
>
>=====
>Sincerely,
>
>Faber Fedor
>LinuxNJ.com - Linux and Open Source solutions for New Jersey
>
>http://www.linuxnj.com
>
>__________________________________________________
>Do You Yahoo!?
>Thousands of Stores. Millions of Products. All in one Place.
>http://shopping.yahoo.com/
>

--
---------------------------------------------
Check Out: http://stev.org
E-Mail: mistralstev.org
 11:50pm  up 24 days, 11:46,  6 users,  load average: 0.00, 0.02, 0.01

Next message: Ryan Yagatich: "Re: How to Track a hacker"
Previous message: Xavier HUMBERT: "Re: Problem with virus scanning emails"
In reply to: Faber Fedor: "Re: How to Track a hacker"
Next in thread: Ryan Yagatich: "Re: How to Track a hacker"
Next in thread: J C Lawrence: "Re: Limited Shells"
Reply: James Stevenson: "Re: How to Track a hacker"
Reply: Ryan Yagatich: "Re: How to Track a hacker"
Reply: Brad Spengler: "Re: How to Track a hacker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]