[1921] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: WARNING: Break-in attempts

daemon@ATHENA.MIT.EDU (The Nolander)
Mon Jun 22 01:52:29 1998

Date: Sun, 21 Jun 1998 23:31:14 +0200 (CEST)
From: The Nolander <nolander@krixor.xy.org>
Reply-To: The Nolander <nolander@krixor.xy.org>
To: linux-security@redhat.com
In-Reply-To: <199806210631.IAA01608@cave.BitWizard.nl>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com


*you know the thread*

It really bothers me how easily it is to frame someone for something, when
people trust in logs. Just as easy as an intruder can erase his tracks
from the log files, he can put another ones adress there.. This is a *big*
concern since atleast where I live the police have no knowledge at all
about such matters, and there are plenty of not-so-competent admins. 

Picture a portscan.. People get their accounts 'n connections closed
because of such things!.. So even the ISPs blindly believe in it. A simple
SYN-scan is no evidence for anything else but the fact that the person
with that IP *somehow* is involved.. It's bothering that not even the ISPs
realize that packets don't even have to originate from the computer with
that IP assigned. 

Another issue that I want to push forward with this is syslog remote
logging, and in fact syslog at all. UDP packets are easy forgable.. If
someone wants to frame another one for it, he doesn't even have to crack
the computer to do it. imap[...]: Crack attempt from 1.1.1.1 .. Ofcourse..
the pid can show that it's not 100% reliable then. But there are still
dangers (more than just that) with remote syslogging.. If it is to be
used, then use secure syslog or something.. (look at http://www.core-sdi.com/)

There is another fact syslog.. *ANY* user on the system can put things
like above in syslog *WITH* a suitful PID. 

What I'm saying is, DON'T TRUST YOUR LOGS!.. And please make the police
and every silly admin realize that. If something suspicious turns up in
the logs, then don't freak out 'n think "HE DID IT!". What you *should* do
is sniff you own computer pretty good and look for suspicious packets.
When you find those packets containing things like "cat /st00pid/tcp.log",
and it's not from a dialup, then *call* the owner of the computer/network
and talk to him, or if he's had his system compromised too. Backtracing
such as this should finally get you to a dialup-source, where you probably
won't get any further. What to do from there - up to you.
 

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post