[811] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (BlackHeart)
Thu Dec 12 13:26:28 1996
Date: Thu, 5 Dec 1996 16:43:52 -0600 (CST)
From: "BlackHeart" <DR940788@caper1.uccb.ns.ca>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
It would seem to me the most logical thing to do is to have a print log of
all port connections, including the site it is coming from. Sure, it is
definitely possibly that logs may be altered, but it's pretty hard to role
back the paper...
Another interesting point that I've seen in this discussion is looking for
attempted commands like "wiz" and "debug"... chances are, if someone is
attempting these commands, they have either lived in a cave for the past
decade or have no idea what they are doing... what version of sendmail
actually contained the "wizard" backdoor? I know that it was fixed on most
systems as early as 1988, when the infamous worm used it as a method of
security breach... but anyways, i digress... later.
-blak
