[97921] in RedHat Linux List

home help back first fref pref prev next nref lref last post

assistance to track a break in

daemon@ATHENA.MIT.EDU (Pete)
Thu Nov 5 19:57:59 1998

From: "Pete" <plaven@idl.net.au>
To: redhat-list@redhat.com
Date: Fri, 6 Nov 1998 11:58:48 +1100
Reply-to: plaven@idl.net.au
Resent-From: redhat-list@redhat.com

Hi everyone,

Well I've learnt a pretty good lesson in the last few days.. trust no 
one.

I have setup my linux box for ip-masq and wasn't too concerned 
with security.  I fugured that there were bigger targets to keep 
these poeple busy.  It turns out that this isn't the case.  At least as 
far as I can figure.

Here's what I have found so far:

1. My /var/log/messages file stops at the 4th of november wtih this 
line:

Nov  4 23:39:37 piglet rz[12656]: clean/ZMODEM: 145 Bytes, 44 
BPS

I had run tail -f on this log file andit had been running fine until the 
5th.. it was only becuase I wasn't careful that I hit ^C that stopped 
it.  Running the commandline again showed me this anomoly.

I would say that someone has broken in and has now sent a file to 
the system of this size, yet trying to find it has proven fruitless.

2. who no longer shows me any external logins ie when I telnet 
from the win95 box it doesn't show up.

3.  /var/log/messages hasn't been written to since that last line, 
hence I suspect that syslogd isn't running, but shows up in the ps 
aux.

4.  my login prompt has changed, and I hadn't changed it.

I'm sure there are a number of things here that has been touched or 
changed, the dates seem to be set ok, ie nothing looks unusual 
about them.

Obviously this person would now have root access, but if they are 
smart they will have created another user as a backup no?  I guess 
searching the passwd file for any account with root access would 
be the next thing to check.

Also, how would I be sure that once checked and rectified 
everything that the infiltrator is gone for good?  I could just re-install 
everything and be done with it, this time setting up much tighter 
security, but then I wouldn't learn anything from this.

Any and all assiatance is appreciated, please repond to my email 
address to as it will be read quicker.

Pete

In a world with out fences, who needs Gates?


-- 
  PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
		http://www.redhat.com http://archive.redhat.com
         To unsubscribe: mail redhat-list-request@redhat.com with 
                       "unsubscribe" as the Subject.


home help back first fref pref prev next nref lref last post