[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacked, then intrusion detection system



On Sat, 3 Feb 2001 mgriffa@fibertel.com.ar wrote:

>Hi.
>	I just realized that someone entered my debian box with
>cablemodem. I couldn't find anything in the logs, but the pump package was
>deleted.

If you've truly been cracked, of course you can't find anything in the
logs.  That's one of the first things a rootkit takes out. Then it takes
out the tools to dissect additional logs.  What catches me weird about
this is that the cracker basically nuked your connection: Cable uses DHCP
(pump) pretty regularly, so it'd be stupid for them to take out one of the
things that kept your box up on the 'net.  Basically, the cracker WANTS
your box to be up and online as much as possible once they're in.  I'd
have a look at some more pedestrian reasons that pump was taken out
first (like a bad sector on your disk or a bad $PATH)...

>	I replaced inetd for xinetd. took off services I didnt't use (It
>was left all default, as I installed in a rush), and now I'd like a good
>intrusion detection system.

snort works.  ippl, portsentry are some good "pre-IDS"es...

>	I'd like to hear about any advices about not security (too wide)
>but tools to run in cron and which may be usefull for this kind of
>situations.

tripwire to make sure the disk image doesn't change, reinstallation of
your computer (all of it: you have no idea what's been trojaned), cracklib
to ensure that your passwords are hardened.  Security isn't something you
install on your computer, it's something you install in your sysadmin's
mind (usually yourself in a singly owned computer).

>Thanks!
>
>
>

-- 
Artificial intelligence is no match for natural stupidity.

Who is John Galt?  galt@inconnu.isu.edu, that's who!



Reply to: