Re: was I cracked? (rpc.statd, new version)

To: kath <kath@kathweb.net>
Cc: Alvin Oga <aoga@mail.linux-consulting.com>, Lukas Eppler <lukas.eppler@tempobrain.com>, debian-security@lists.debian.org
Subject: Re: was I cracked? (rpc.statd, new version)
From: Alvin Oga <aoga@Mail.Linux-Consulting.com>
Date: Wed, 11 Jul 2001 19:55:51 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1010711195003.23526B-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 038901c10a5d$6687d9e0$0500a8c0@kathweb.net>

hi ya kath

naw... they lways leave some traces of what they did
to your PC...

i think tripwire is an overkill for what you need to know
in 2 minutes... "did they replace my binaries"...
if you think someone came into your box...

i like  a simple/stupid solution
	tar zcvf /safe_place_off_line/original_binaries.tgz \
	/bin /lib /sbin/usr/{bin,sbin,lib}  /etc

	( its a quickie test... to compare the current binaries
	( against what was the original

if you still not sure... that they ADDED some of their own
apps .... than run tripwire.... and wait and wait..
but than you'd have an answer if you have a good tripwire db going

dozen different ways to identify if they got in and what they 
changed... choose your preferred way...

c ua
alvin

On Wed, 11 Jul 2001, kath wrote:

> You can check for modified binaries with tripwire.
> 
> If this was a decent hacker or even a script kiddie using a good tool, they
> probably would have purged your logs of all evidence.
> 
> So either:
> 
> a) They are second rate
> or
> b) They didn't get in
>

Reply to:

Follow-Ups:
- Re: was I cracked? (rpc.statd, new version)
  - From: Lukas Eppler <lukas.eppler@tempobrain.com>

References:
- Re: was I cracked? (rpc.statd, new version)
  - From: "kath" <kath@kathweb.net>

Prev by Date: Re: was I cracked? (rpc.statd, new version)
Next by Date: Exim related buffer overflow in stable
Previous by thread: Re: was I cracked? (rpc.statd, new version)
Next by thread: Re: was I cracked? (rpc.statd, new version)
Index(es):
- Date
- Thread