On Thursday 09 January 2003 12:30 am, Tony wrote: > Hi Lynn, > > When you say you, you mean the original poster...right? I was responding > to him.
Yep, however Sandro uses Portsentry and indicates that this is normal operation of PortSentry....so it is not a hack, but rather someone likely trying to hack a system and blocked. > Anyway, I think your approach would be a better one, backup the whole disk > to a blank diskette, reboot the original disk and then you have a snapshot > and can compare while returning to a safe condition. That was my first > thought was to get back to safe ASAP and save the logs for ip addys and > such. I like your approach better. Just as quick, and more complete. Yep, intrusion detection normally can't be done on the compromised box since the utilities that you use to detect it are replaced with ones that won't give it away. A popular way of hiding stuff is use of a "." directory so that it is hard to find even with a non-compromised box. A better idea is to send logs to a remote printer, but this is overkill for most people. -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html