Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sat, 14 Jun 2003, eyem wrote: Hello, I think my box has been compromised.. its my first time and it is a rather unpleasant experience! Yes, it sounds as if you have been, and yes, it is not fun. I sympathize (only happened to me once, which was more than enough). I found some stuff in /dev, hdx1 and hdx2 is that normal? Hard to say. Are they device files? If they aren't, investigate them to try to figure out what's going on (get them to a known good machine, run strings on them, for starters. Try to find commonalities with known rootkits. If you have the skill, disassemble them. If not, run them in a sandbox on a machine you can afford to rebuild and see what they do.). Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) Best practice is to pull the network plug and investigate how the attacker got in. Then, redeploy with that problem (and any other problem you found during forensics) fixed. Frequently in the real world, that isn't possible. Then you have to fall back on a reinstall and restore from backups, and watch what happens in from an extremely paranoid stance. You really don't want to attempt a cleanup, because you never know if you found every potential trap, so you can never trust the machine again. Not the sort of thing you want on your network. Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. -j -- Jamie Lawrence[EMAIL PROTECTED] A computer without a Microsoft operating system is like a dog without bricks tied to its head. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: cracked? rm uses obsolete (PF_INET,SOCK_PACKET)
On Sat, 14 Jun 2003, eyem wrote: Hello, I think my box has been compromised.. its my first time and it is a rather unpleasant experience! Yes, it sounds as if you have been, and yes, it is not fun. I sympathize (only happened to me once, which was more than enough). I found some stuff in /dev, hdx1 and hdx2 is that normal? Hard to say. Are they device files? If they aren't, investigate them to try to figure out what's going on (get them to a known good machine, run strings on them, for starters. Try to find commonalities with known rootkits. If you have the skill, disassemble them. If not, run them in a sandbox on a machine you can afford to rebuild and see what they do.). Anyway, I have no idea where to go from here. I dont know if it will be just a couple of things to fix up, or if I should toast my whole system: major major hasstle) Best practice is to pull the network plug and investigate how the attacker got in. Then, redeploy with that problem (and any other problem you found during forensics) fixed. Frequently in the real world, that isn't possible. Then you have to fall back on a reinstall and restore from backups, and watch what happens in from an extremely paranoid stance. You really don't want to attempt a cleanup, because you never know if you found every potential trap, so you can never trust the machine again. Not the sort of thing you want on your network. Good luck... The only good thing about being compromised is that it makes you more paranoid about being on the net. -j -- Jamie Lawrence[EMAIL PROTECTED] A computer without a Microsoft operating system is like a dog without bricks tied to its head.
Re: Setting up VPN's
On Fri, 16 May 2003, Noah Meyerhans wrote: I don't think it's possible to *need* opportunistic encryption. By its very nature it's unreliable. You have no guarantee that you've got an IPsec session with a given host, so you really can't rely on opportunistic encryption to provide you with any security. Very true. The point of opportunistic encryption is to increase the use of IPsec net-wide. The general idea being that, if two random hosts can, they should without manual intervention. I think this is a great goal, in the general sense, much like opportunistic compression to save bandwidth, as seen in such things as mod_gzip for Apache. -j -- Jamie Lawrence[EMAIL PROTECTED] Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life.
Re: Logging User Activity
On Wed, 2003-05-14 at 10:33, Michael Parkinson wrote: I cannot find any simple way of achieving this within the standard doc's and searching the web for log user activity linux debian does throw up some not particularly useful links, including a package for filtering my users output to the FBI, not much good for the UK. I missed the start of the thread, and apologize for not answering much. But could you point me at that package? A quick googling didn't show much obvious. I'd be extremely interested in looking at what that package is actually up to. I haven't heard much about this sort of thing going on in the open source world. -j -- Jamie Lawrence[EMAIL PROTECTED] Politics is the entertainment branch of industry. - Frank Zappa