|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Core Dump as an Intrusion Event
From: Erik Tayler (erik
DIGITALOFFENSE.NET)Date: Thu Oct 05 2000 - 23:35:38 CDT
- Next message: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Previous message: Blair Strang: "Re: JetDirect Card DoS exploit?"
- In reply to: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Next in thread: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Reply: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> A better solution would be a kernel patch that hooks into the SIGSEGV
> signal handler and logs all segmentation faults. A predefined list of
> programs can be monitored. Maybe it's fesable to log segfaults of all
> root processes.
I believe FreeBSD [as far as i know, 4.0] does this. If I can remember way
back to yesterday when I was parsing through syslog, I saw some segfault
messages from a program that I had written poorly. If I'm wrong, someone let
the list and I know, I wouldn't want to give out more information. And what
other versions of FreeBSD, or Open/NetBSD do this? [I don't have a
photographic memory when it comes to syslogs of 2.x, so I can't remember]
Ack wait, I found some logs.
Sep 19 16:14:58 secure /kernel: pid 87871 (dialog), uid 0: exited on signal
11 (core dumped)
Sep 19 16:22:51 secure /kernel: pid 87884 (dialog), uid 1000: exited on
signal 11 (core dumped)
Sep 19 16:31:06 secure /kernel: pid 87908 (dialog), uid 1000: exited on
signal 11 (core dumped)
Sep 19 16:50:31 secure /kernel: pid 87945 (dialog), uid 0: exited on signal
11 (core dumped)
Sep 19 16:50:43 secure /kernel: pid 87946 (dialog), uid 0: exited on signal
11 (core dumped)
Sep 19 16:50:57 secure /kernel: pid 87947 (dialog), uid 0: exited on signal
11 (core dumped)
Sep 19 16:51:02 secure /kernel: pid 87948 (dialog), uid 0: exited on signal
11 (core dumped)
Sep 19 16:55:26 secure /kernel: pid 87950 (dialog), uid 0: exited on signal
11 (core dumped)
Sep 25 16:02:38 secure /kernel: pid 9719 (fourth), uid 0: exited on signal
11 (core dumped)
Oct 2 18:25:35 secure /kernel: pid 58233 (ftp), uid 1000: exited on signal
11 (core dumped)
Oct 2 18:29:08 secure /kernel: pid 58243 (ftp), uid 1000: exited on signal
11 (core dumped)
Anyway, there ya go, logged by the kernel as per default.
Erik Tayler
http://www.14x.net
http://www.digitaloffense.net
- Next message: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Previous message: Blair Strang: "Re: JetDirect Card DoS exploit?"
- In reply to: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Next in thread: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Reply: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]