Re: preparing for case of emergency
hi ya klaus
i am assumig you made a copy of all the binaries and lib and config files
for safe keeping as a reference against the "hacked" machine ...
esp programs like: should be saved
find, ps, netstat, ls, diff, login, crypt, sum, top, rm, mv, cp
mail, elm, pine, sendmail/exim, etc
i'd add additional ids in ~root/.bashrc/.cshrc
mail -s "got a live one in $HOST" you@someplace.com < /dev/null
than when you see the machine doing stuff it shouldn't be
or have files/directories it shouldnt have...
- run rm -rf on their files in rt... and kill their logins/apps
and watch where they reconnect from...
- if you have um in their own chroot... they might not
notice you are watching um ???
- get the local fbi or pd or isp also to look and watch your
machine while they are live in your machine...typing/executing
their commands ... kill those puppies and watch um login again...
after the 2nd time.. they should go away...knowing they are
being watched ...or they might do a final rm -rf / before
disappearing
have fun linuxing
alvin
On Mon, 11 Feb 2002, Klaus Koch wrote:
> hello!
>
> I have done my best to make my firewall/router secure according to
> several security howtos (in this place, many thanks to the authors of
> the debian security howto). I think I am really getting into this
> "security stuff" :)
> I am running a not very busy website and ftp-server, so I can afford to
> receive snort alarms in realtime via email to my internal account,
> because there aren't many. Due to work, I spend a lot of time at this
> account, so chances are high that I am present when an attack is done.
> My question now is, what can I really do in realtime against an ongoing
> attack? Are there any interesting reads, I wasn't able to find?
>
> Many thanks for your help!
Reply to: