Re: I've been hacked by DevilSoul
Alan Aldrich wrote:
<Snip>
> Of course I took it off the net and had to rebuild the whole system, and now
> I am not allowing ssh, rsh, telnet or ANY logins. It is not a machine that
> needs logins anyway, all it does is VPN proxy and authentication on certain
> ports.
<Snip>
The way it should be. No unnesescary services.
Alan Aldrich also wrote:
> I wish I did know how the hacker got in, but I am pretty sure they won't be
> able to now.
> Someone mentioned tripwire. Is that a good monitor for hacker activity?
>
> alan
tripwire monitors for changes. in example, say a cracker adds his own
super user account to /etc/passwd, tripwire can notify you that there
was a change to that file. this is good for recovering by the "maybe
it'll be safe once i remove all the changes method" and/or identifying a
break in. however if you have been following this thread, you will have
noticed the discussions about subverting apps like tripwire, so it is
certainly not fool-proof. and then even if the tactics involving the
kernel are not used, there is still the possibilty of the tripwire
system to be compromised also.
Then, shortly thereafter, Alan Aldrich wrote:
> oh yeah.. by the way, that chkrootkit that someone mentioned pointed me
> right to the problems.
> that is a great tool.
> thanks
> alan
I am curious as to how great of a tool it is. I haven't bothered looking
yet, but I assume that it runs along the same lines as AV software for
the lesser OS. Please correct me if I am wrong about this, but I see the
"update for each new virus" approach to be horrible, and I would think
that would be the same tactic used against root kits. Anybody have
comments on this?
-Will Wesley, CCNA
For God's sake, stop researching for a while and begin to think!
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Reply to: