[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: See what a weak password will get ya?

* Chris Metzler <cmetzler@speakeasy.net> [2004-07-22 22:18]:
> On Thu, 22 Jul 2004 17:42:53 -0500
> Paul Stolp <paulywall@myrealbox.com> wrote:
> >
> > shutdown -h now  !
> Believe it or not, this is often a bad idea.  It's often easier to
> determine the scope of a compromise by watching the intrude for a little
> while than to attempt to find out afterwards with forensics.

I thought this afterwards, but it appears the attacker went away empty
handed anyways. He was already logged out when I noticed the high load.
He tried to kill the "t" program, but couldn't. I suspect he was
somewhat inept (as was I with the pathetic password I assigned to the
guest account!) in reviewing the logs and bash history, it becomes
fairly easy to piece together.

I will definitely consider your advice when I'm in this situation again.

> > look for damage, whew, I was O.K.
> How did you determine this?

chkrootkit and, more satisfying to me, md5sums of some key binaries.


Reply to: