[NTLUG:Discuss] Intrusion and Detection
Bug Hunter
bughuntr at one.ctelcom.net
Fri Dec 21 11:38:49 CST 2001
Tripwire is the simplest. It basically does a crc on the main files.
In general, the following files have been compromised:
ps
ls
login
ssh
find
glibc
and possibly
inetd
ftpd
telnetd
bash
ls and other executables in the ftp bin directory
typically, the following is not compromised
file
and can be used to find other files that have been compromised, or are
lying around.
On Fri, 21 Dec 2001, Kenneth Loafman wrote:
> With all the packages like Tripwire and others that detect intrusion,
> are there any that are "better" than others? What are your experiences?
>
> My home system just got rooted via an ssh bug and my own personal
> detection system spotted it (ps did not work right), but the damage had
> been done. Right now the the system is off the net, but I want to
> reopen the ssh port again so I can get to it from work.
>
> Been doing some forensics and it looks like the work of a script-kiddie,
> even left the .tgz file and install scripts on the system. Nasty stuff,
> but it does not look like he left a worm installed, just set it up to
> allow him to get back in. That's secured now, no inbound connections
> available.
>
> So, back to the question... what's a good intrusion detection system?
> I'm decidely not a novice, but I don't have much time to mess with an
> overly complex systems, so ease-of-use is a consideration.
>
More information about the Discuss
mailing list