[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Machine break-in part 2

From: Alan Mead <adm ipat com>
To: redhat-list redhat com
Subject: Re: Machine break-in part 2
Date: Mon, 20 Dec 1999 12:02:30 -0600

At 09:42 AM 12/20/99 -0800, Gavin Budd wrote:
>Another thing that happened is that IP's aren't being logged in the u/wtmp
>file for telnet connections.  They stopped logging about the same time as
>the break in.  Any idea how to fix this?

Yeah.  (1) Backup ALL valuable data on the server.  (2) Use fdisk to remove
all partitions.  (3) Then reinstall the OS and all security patches.

Seriously, you are playing with fire if you think you can unfix whatever
the cracker broke.   If really want to know what got changed, I think you
need to install and run tripwire right after (or the like) a known clean
install (e..g, nont-networked); then you can re-run it later to see what
files have changed.  You need to boot from a removable (known clean) medium
and the executable and DB need to be known to be untampered as well.

-Alan
---
Alan D. Mead  /  Research Scientist  /  adm ipat com
Institute for Personality and Ability Testing
1801 Woodfield Dr  /  Savoy IL 61874 USA
217-352-4739 (v)  /  217-352-9674 (f)

References:
- Machine break-in part 2
  - From: Gavin Budd

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]