Re: See what a weak password will get ya?
* Chris Metzler <cmetzler@speakeasy.net> [2004-07-22 22:18]:
> On Thu, 22 Jul 2004 17:42:53 -0500
> Paul Stolp <paulywall@myrealbox.com> wrote:
> >
> > shutdown -h now !
>
> Believe it or not, this is often a bad idea. It's often easier to
> determine the scope of a compromise by watching the intrude for a little
> while than to attempt to find out afterwards with forensics.
I thought this afterwards, but it appears the attacker went away empty
handed anyways. He was already logged out when I noticed the high load.
He tried to kill the "t" program, but couldn't. I suspect he was
somewhat inept (as was I with the pathetic password I assigned to the
guest account!) in reviewing the logs and bash history, it becomes
fairly easy to piece together.
I will definitely consider your advice when I'm in this situation again.
>
> > look for damage, whew, I was O.K.
>
> How did you determine this?
chkrootkit and, more satisfying to me, md5sums of some key binaries.
Thanks,
Paul
--
Reply to: