[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: shell access exploits (was Re: upgrading to MySQL 4 on woody)

I'm no expert.
I run chkrootkit on a regular basis.
Run a virus scanner it will find some exploits.
Hacafee found a few rootkits and known kernel exploits.
I use mcafee for linux.
Analyze history files for certain keywords.
The best way would be to analyze command frequency in history files and
look for infrequently occuring commands that are good indications of hack
Look at anyone running command: uname -a

Install grsecurity, and laugh at the attempts to do buffer overruns.
Enable grsecurity acl subsystem and continue laughing.
Analyze login frequency, what country are they logging in from?
Have they logged in from this address before?
Analyze login time, 2-6am is when most exploits occur.
Look at tripwire or sash logs. (still use tripwire have not learned how to
use sash)
Look at when root logins.
Check for processes initiating outgoing connections, hackers love to wget
their files.
Check for process using a lot of memory or processor time.

Jason Lim said:
>> One of my hats is a junior sys admin in an academic environment. I'm
>> curious as to how you know when shell users are trying to exploit a
> kernel
>> hole.
> chkrootkit?
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

--Luke CS Sysadmin, Montana State University-Bozeman

Reply to: