[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: crack traces in /var ?



(Some of this is my personal opinion; I don't claim to be a security
expert.)

Andreas von Heydwolff <pirmin2@gmx.net> writes:

> My home dir contains no database files but lots of proprietary
> WordPerfect docs, pdfs, oggs/mp3s/wavs and jpgs and my mail
> archive.

The thing you're mostly worried about is things that can have
executable code in them.  Your PDFs, pictures, and music are probably
all okay (unless you picked up something that was intentionally going
after them); I'd be a little worried about scripting code buried in
the WordPerfect files.  But it's not like you have a bunch of things
compiled by hand in your home directory that are potentially infected,
it sounds like.

> It is always mounted noexec,nosuid,nodev,user.

(This isn't much security; the attacker is almost certainly root so
nosuid is irrelevant, and if you have /home/me/bin/foo you can
explicitly run '/lib/ld-linux.so /home/me/bin/foo' to run the binary
regardless of noexecness.)

> And, lastly for now: The /var/crackdir dir has a timestamp X. Does
> this mean the crack most probably did not happen before day X?

See touch(1).  The timestamp is completely meaningless.

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell



Reply to: