On Sun, May 25, 2003 at 01:04:30PM -0500, Jayson Vantuyl wrote: > We have no idea how he's getting in, but we've got his rootkit fairly > nailed down (he uses a few slightly different ones).
If you believe he'll be back, it might be worth it to set up a honeypot and a box running tcpdump and capturing all the traffic to honeypot. Set the honeypot up with the same services you run on your production machines, and make sure that no services at all (not even ssh) are runnign on the tcpdump system. At least that way, when the box gets cracked, you'll be able to see what ports the guy was talking to when he broke in. It also might be useful as evidence in case you ever decide to try and prosecute him. I assume the cracked boxes were running woody? What are the actual services running on the various open ports? What versions of the packages? I don't know of any exploits for the version of OpenSSH included on security.debian.org for woody. It would certainly be interesting to find out that there is one in the wild! noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpf5rEa34hM6.pgp
Description: PGP signature