On Saturday 27 July 2002 14:18, David Guntner Wrote Thusly:
> civileme grabbed a keyboard and wrote:
> > David Guntner wrote:
> > >Checking 'sniffer'... Checking 'wted'... 2 deletions found between
> > > {time} and {time}
> > >
> > >Question:  Based on this, is my system likely to have been compromised
> > > or not?  For that matter, what's wted?
> >
> > wted  --  wtmp editor
> >
> >
> > http://www.cleo-and-nacho.com/cnd/text/hackkit.txt
> >
> > Reading the whole doc will be educational.  The grammar isn't perfect
> > but the message is unusually clear.
>
> I'm reading it now, and I am not heartened by what I see....
>
> Is there anything that could cause the checker to trip on that?  I.E., is
> there something else which could result in it thinking that something was
> removed from wtmp?
>
> I'm pretty careful in my password choices and am on the mandrake-security
> announce list so that I know when a fix has been released (and I put it in
> right away), so I'm really curious as to how someone could have gotten in,
> installed that program, run it to cover up whatever else it was they did,
> and then remove it.
>
> And, I'm *not* enjoying the prospect of having to wipe and reinstall my
> system.... :-/
>
> Any other thoughts on the subject?  Or is it just time to "push the button,
> Max?"  (Probably no one will get the joke, but I'm sure you understand the
> meaning... :)
>
>                         --Dave

   Up Max, UUUUUUpppppp Max!
        - Professor Fate, The Great Race

   But seriously, do you have tripwire running on a fixed medium (e.g. the
Tripwire database on a CD-ROM)? Do you have tripwire running at all?

   Are other, "softer" systems (e.g. Windows running LookOut) connected
to the suspect box with trusted access (this might be a way for someone
to get in).

   Basically, the correct paranoid response is if you are not sure, wipe it.
While this level of paranoia is not for everybody, it works for me.

   Good luck with this.

HTH,
        DGO

-- 

"Entropy Requires No Maintenance"

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to