Grant, I figured I should add this note. I'm recommending AIDE as something if you get to the point where you feel like you've been hacked, you've done your post-mortem, and are ready to rebuild, upon your rebuild AIDE might prove to be handy in the future. It'd probably be useless on a system that has already been compromised.
Later, Shawn On 2/12/07, Shawn Singh <[EMAIL PROTECTED]> wrote:
Grant, Maybe going forward (if you're not doing so already), one tool I've found to be useful in the past was AIDE. While it certainly won't prevent a break-in, it can certainly be useful when trying to find out what changed on your system. Later, Shawn On 2/12/07, Paul Sebastian Ziegler <[EMAIL PROTECTED]> wrote: > > Hi Grant, > > personally (but this is by far only ONE possible setup for your task) > I'd advise you to connect eth0 to wan through a box set up as a bridge > (try brctl). If that box has a good wireless card and good drivers (this > > mostly means "if that box isn't running Windows") you can also put that > wireless-card into promiscuous mode lock it to your chanel and ssid and > feed wireshark your WEP-Key or WPA-PSK for decryption. > If not, then you'll have to use a second box for the wireless sniffing. > > BTW. current rootkits won't just replace ps or some other tools. Good > rootkits do not run in userspace; they run in kernelspace. They directly > > intercept the function-calls. Just another thing to keep in mind while > trying to scan for them. > > hth > Paul > > Grant schrieb: > >> > A good rootkit will install a "ps" that won't show the 'bot > >> > processes. The one time a machine of mine got hacked, netstat > >> > still worked, but I don't know why a hacked netstat couldn't be > >> > installed as well. > >> > >> > Looking through /proc/≤pid> is probably still reliable. > >> > >> > >> Hello Grant, > >> > >> I keep an old portable around, running wireshark and a flat hub. > >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. > >> > >> You can then sniff any (ethernet) segment of your network for > >> nefarious traffic or male-configured network applictions. > > > > Ok, it sounds like the key to figuring this out is watching the > > outgoing network traffic for weird stuff. eth0 is on the WAN and > > wireless ath0 is on the local subnet. How would you monitor the > > outgoing traffic considering my setup? > > > > - Grant > > │ИМ╒▀╛z╦ ·з(╒╦&j)b· bst== > > -- > gentoo-user@gentoo.org mailing list > > -- "Doing linear scans over an associative array is like trying to club someone to death with a loaded Uzi." Larry Wall
-- "Doing linear scans over an associative array is like trying to club someone to death with a loaded Uzi." Larry Wall
