Re: An utility or whatever that can monitor/log all the activities in OS of the compromised machine
Thank You for Your time and answer, Tzafrir:
> > And, what is more
> > important - could You share Your experience on how to illuminate from whence
> > the criminal got its root privileges?
>
> In a manner that root cannot rewrite?
>
> Please state your assumptions here.
>
> (A reliable remote logging server?)
Yes. Or emailing program that sends some states of OS.
> > Is it possible to log net activities through iptables? - I did try LOG
> > target but w/ no > And, what is more
> important - could You share Your experience on how to illuminate from whence
> the criminal got its root privileges?
In a manner that root cannot rewrite?
Please state your assumptions here.
(A reliable remote logging server?)
>
> Is it possible to log net activities through iptables? - I did try LOG target
> but w/ no success.
And you assume root cannot alter those rules?success.
>
> And you assume root cannot alter those rules?
I suppose that the criminal is not always and everywhere - he needs time that
can be for benefit to me, or he may have his interest in something specific,
say, emailing spam - and almost nothing more... It is just guessing, still I
believe there is something that can help track him in some degree, and then,
may be, it is possible to understand from whence he got his entrance on as I
suppose well protected machine.
Or let's view this from another point: we have set up a new server (we use the
same hardware - just have formated entire HDD) - how we can now be sure that it
is secure enough - for we have not found the way the criminal got in. Or is
there an utility that can inspect the OS regarding the services the OS running?
- Something similar to rkhunter does for ssh, say, but for other services:
apache, for example, or, postfix, or ftp, etc.
Reply to: