-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 03 Feb 2004 03:50:06 +0100, Alvin Oga <[EMAIL PROTECTED]> wrote: > > hi ya johannes > > On Mon, 2 Feb 2004, Johannes Graumann wrote: > >> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337] >> At this point I believe to be able to attribute this to portsentry >> running - '/etc/init.d/portsentry stop' makes it go away, >> '/etc/init.d/portsentry start' makes it reappear and I can create the >> message on a pristine system by installing portsentry (running in the >> default configuration). > > odd that portsentry does that... oh welll ... >
portsentry opens and attaches to ports, it's "famous" for setting off false alarms for security tests. IMHO, it's a poor tool for using in securing a system, but it's probably better than nothing. Although you'd be far better off with snort. >> > 'tiger' also reports - while performing signature check of system >> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write >> > and /usr/bin/inetd don not match. This can not be confirmed by aide >> > (cd-burned database, unsafe binary) or debsums (unsafe binary). >> Javier stated as well: >> > Do _not_ rely on that if you are _not_ using a stable system.... (and >> > really, even then, unless you've regenerated the database yourself). >> This is a testing/unstable system. > > that doesn't explain why the semi-important binaries are not as > you expected ... you still need to confirm the size/md5 of the binaries > against a clean system and/or patched updated/upgraded box > >> If you don't buy this: please let me know and why. Since We are talking >> 20+ systems being dependent on one of the machines in question, I'm >> considering myself biased due to installation anxiety. > > maybe its time to spend an extra $300 for a 2nd backup machine and > keep it offline or more protected behind another secure firewall > - and also time to put all your binaries compressed onto cdrom > so that you can trivially compare binaries in a few seconds > and know if its been hacked or not > > - you'd also need to know which binaries changed on which date > from which package :-) Aide does a nice job of this, if you maintain a copy of the aide.db offsite, and check that too. On my machines, I do a series of tests Nightly aide, chkrootkit and tiger tests, verify local aide.db md5sum matches remote backup, and run the logs. I am setting up snort, for the purposes mostly of practice. These are web/mail servers, so I have a limited number of ports I have to have open, everything else is firewalled off. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAHx2Sd90bcYOAWPYRAqSwAJ0YPQCQZ5fvtsWMDRkRLTrKjcjdPQCdEtMe ahSRcZMY49OsTRoWIaCtQac= =XqM4 -----END PGP SIGNATURE----- -- Jim Richardson http://www.eskimo.com/~warlock It is dark. Your .sig has been eaten by a grue. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
