[3176] in bugtraq
Re: Tracking tools?
daemon@ATHENA.MIT.EDU (Gene Titus)
Thu Aug 15 15:18:37 1996
Date: Thu, 15 Aug 1996 08:06:54 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Gene Titus <gene@shalott.ots.utexas.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.BSI.3.93.960814235116.19049B-100000@gatekeeper.ddp.state.me.us>
One thing you might consider. We made a login shell call Csh (looks like
csh in /etc/passwd) that is really a C program that sends me mail and
calls the unix script command. We modified the script binaries to not
print out the "script starting" and "script ending" messages. When the
suspect account logs in with this as their shell, it writes all their
keystrokes to a file. The down side is if they do a w command, they will
see some funny stuff happening on their account.
Anyone else have any keystroke catching ideas?
Gene.
On Wed, 14 Aug 1996, David Miller wrote:
> Please forgive me if this message is a bit off subject, as it doesn't
> expose any holes....
>
> I've got a tcpdump of the network while a hacker broke into a machine. I
> created it on a FreeBSD system with tcpdump -w .... (filters omitted).
>
> I can read the file back just fine with a tcpdump -r, and dump the raw
> data with a -x, but that's less than real useful.
>
> Can anyone point out some tools I might apply to this dump file in order
> to track the session which actually hacked root? I'd most like to see
> one of the monitoring programs which can be fed from the dump file, but
> I'd be happy with something which would give me an ascii dump of the
> data portions of selected packets.
>
> Thanks in advance:)
>
> --- David Miller
>
> ----------------------------------------------------------------------------
> It's *amazing* what one can accomplish when
> one doesn't know what one can't do!
>
