Re: I'm afraid I've been cracked.
Try using aide--it checks your filesystem (checksums, inodes, timestamps, lots more)
to make sure that nothing's been tampered, and mails you a daily report.
http://www.debian.org/Packages/unstable/admin/aide.html. It's good stuff, expecially
on machines that are just sitting around with minimal input from you. It basically
does all of what you did to check your system integrity, only on a larger scale.
--Mike
Steve Juranich wrote:
> On 28 Sep 2000, Olaf Meeuwissen wrote:
>
> > bash$ man debsums
> > bash$ dpkg --search `which top`
> > procps: /usr/bin/top
> > bash$ debsums -s procps
> >
> > Any output could be a problem. Of course this assumes that the listed
> > md5sums have not been tampered with. They are in /var/lib/dpkg/info.
> >
>
> Okay, after poking around a good deal, here's the diagnosis:
>
> 1) Log files look okay, but that doesn't count for much.
> 2) md5sums for all of those things like top, ls, etc all check out.
> 3) No packages have .md5sums files in /var/lib/dpkg/info with modification
> dates any later than my original istallation (which was Sunday). Are
> script kiddies smart enough to modify this?
>
> If anybody did crack my box, it's not readily apparent that they did
> anything harmful. Nevertheless, the only open ports I'm going to have from
> here on out is ssh, and that will be configured to accept connections ONLY
> from my box in my office.
>
> Thanks for the help. Any further suggestions are very welcome, since I'm
> still very new to all of this security stuff.
>
> ----------------------------------------------------------------------
> Stephen W. Juranich sjuranic@ee.washington.edu
> Electrical Engineering http://students.washington.edu/sjuranic
> University of Washington http://rcs.ee.washington.edu/ssli
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
--
Michael J. Smith msmith4@gladstone.uoregon.edu
2250 Patterson #25 Eugene, OR 97405
(541)346-7562
Reply to: