So, a Debian box that I admin had an account compromised.They didn't get root.... they just got into one of our user accounts through a weak or stolen password. They set up a few IRC bots and that was it. The irritating part is that this was called to my attention by an admin on another system who watches their IRC traffic closely.
When I did find the intrusion, there were a few aspects of it that were very common to intrusions like this, but which don't seem to be caught by tripwire, aide, logcheck, or chkrootkit. For example, they hid their stuff in a "..." directory.
I know that AIDE and tripwire check for changes to critical files/directories... chkrootkit looks for rootkit-ish things.... and logcheck looks just at the logs.... but I haven't seen anything that scans the entire machine (filesystem, listening ports, outgoing ports, etc) for all of the standard things you see on things like the SANS intrusion detection checklist... or better yet, something with regular updates (like clamav) that checks for things that are being seen on the latest honeypots.
Isn't there *something* like that out there already? - Joe
Description: S/MIME Cryptographic Signature