[827] in Intrusion Detection Systems
Re: Signs of an Intruder
daemon@ATHENA.MIT.EDU (w.wessels@cc.ruu.nl)
Fri Dec 27 01:38:42 1996
From: w.wessels@cc.ruu.nl
Date: Wed, 18 Dec 1996 09:18:41 +0100
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Mike Kienenberger wrote:
>
> On Thu, 5 Dec 1996, "BlackHeart" wrote:
> > It would seem to me the most logical thing to do is to have a print log of
> > all port connections, including the site it is coming from. Sure, it is
> > definitely possibly that logs may be altered, but it's pretty hard to role
> > back the paper...
Why printing it if you could store your logs on read-only media?
>
> The only problem with this is that you're going to get data overkill.
> And without computer readable media, there's no way to condense and
> process that information in a reasonable amount of time. Of course,
> if you're only interested in logging events, that's probably a good solution
> for you.
>
> > Another interesting point that I've seen in this discussion is looking for
> > attempted commands like "wiz" and "debug"... chances are, if someone is
> > attempting these commands, they have either lived in a cave for the past
> > decade or have no idea what they are doing... what version of sendmail
> > actually contained the "wizard" backdoor? I know that it was fixed on most
> > systems as early as 1988, when the infamous worm used it as a method of
> > security breach... but anyways, i digress... later.
>
> Actually, it's much more likely that if those commands are used,
> someone is running some sort of automated security scanner on your site.
> It's a good way to catch the unskilled tool-using attackers.
>
> Such an attack occurred at our site a few months ago.
> ---
> Mike Kienenberger Arctic Region Supercomputing Center
> Systems Analyst (907) 474-6842
> mkienenb@arsc.edu http://www.arsc.edu
>
> "Yes, in 6.3 we finally gave in to the security demands of some of our
> customers. It is a major pain in the neck" --Martin Knoblauch of Silicon
> Graphics GmbH referring to the change requiring that xhost access be
> explicitly enabled.
--
Type Bits/KeyID Date User ID
pub 1024/4F4BA47D 1996/11/25 <w.wessels@cc.ruu.nl>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQCNAzKZqRUAAAEEANlMH7x3J8+thmg3nb929uOYFuN62mssjps76F2vrdGg+/BK
BNuX78lIVB+TWXFSoND4itjXcqNH2YFteJxctyfAC/vvZDL7c2g0gcN9U0E9pbKk
hMYnoVO2R8p6qyxbbavO44+LUHaw8hp6HueDYEUC0gh2UzwpXJnlsrJPS6R9AAUR
tBU8dy53ZXNzZWxzQGNjLnJ1dS5ubD6JAJUDBRAymakWmeWysk9LpH0BAV5qBADY
4hgBuoaqDnEtmW5wigZTJI6nDjPB+1kyL9r9TG4dEKcRaguLn5Ukp+iwvwFWmZtp
SknqqttsYjs0M2z1x1N5J7+u76GN+/QF99eJg2kzaISwZ7e4QXxhU5JaJCrpvWwA
/qYdVz0gqyfuvqWn/nxKu1X1e06+ZqHYlSFsGS+SvQ==
=Jphz
-----END PGP PUBLIC KEY BLOCK-----
