hi ya kath
naw... they lways leave some traces of what they did
to your PC...
i think tripwire is an overkill for what you need to know
in 2 minutes... "did they replace my binaries"...
if you think someone came into your box...
i like a simple/stupid solution
tar zcvf /safe_place_off_
hi ya stig...
yes... that too...
but i think that one should do some checking/digging
BEFORE reinstalling ...
- one should know how they got in...
- one should know "why" they got in..
- one should know what time they got in...
- one should know what files they added and which was modified
- on
Thanks for this explanation. I got hit with the exact same
exploit this evening. I compared my entire /etc structure to
a known good one from almost a month ago and everything checks
out. I'm taking you advise and shutting down this service
when not using it until I can secure it
Since I haven't heard anything from the package maintainer
([EMAIL PROTECTED]) regarding this email sent to him on the 2nd, I thought
I would throw this out here. Someone please point me into the right
direction if I'm putting this out on the wrong list.
My biggest concern is item number 1 in the
hi ya kath
naw... they lways leave some traces of what they did
to your PC...
i think tripwire is an overkill for what you need to know
in 2 minutes... "did they replace my binaries"...
if you think someone came into your box...
i like a simple/stupid solution
tar zcvf /safe_place_off
hi ya stig...
yes... that too...
but i think that one should do some checking/digging
BEFORE reinstalling ...
- one should know how they got in...
- one should know "why" they got in..
- one should know what time they got in...
- one should know what files they added and which was modified
- o
Erm.. I apologize up front if while skimming this thread missed it, but
I didn't see that he HAD tripwire before the questionable event.
Tripwire is only good if you've got it installed and secure on RO media
before you let anyone else on the box. Having just setup tripwire for
this type of thing,
You can check for modified binaries with tripwire.
If this was a decent hacker or even a script kiddie using a good tool, they
probably would have purged your logs of all evidence.
So either:
a) They are second rate
or
b) They didn't get in
- k
- Original Message -
From: "Alvin Oga" <[
Alvin Oga <[EMAIL PROTECTED]> writes:
> hi ya lukas
>
> how did you check for modified binaries ???
>
> if its an upto date deb box... its a failed attempt...
> if its a redhat box...time to go digging...
>
> you have to check the filesize of the binaries... not just the date...
> compared to o
hi ya lukas
how did you check for modified binaries ???
if its an upto date deb box... its a failed attempt...
if its a redhat box...time to go digging...
you have to check the filesize of the binaries... not just the date...
compared to one that you know is NOT compromized...
and if yo
You mean like an example rule ?
var ETH0 [your_ip]
alert tcp !192.168.254.0/24 any -> $ETH0 23 (ipopts: rr ; msg: "External
request for telnet";)
like this ?
don't forget this nice option:
preprocessor portscan: your_ext_ip 10 5 /var/log/snort/portscan.log
[On 11 Jul, 2001, Luc MAIGN
Erm.. I apologize up front if while skimming this thread missed it, but
I didn't see that he HAD tripwire before the questionable event.
Tripwire is only good if you've got it installed and secure on RO media
before you let anyone else on the box. Having just setup tripwire for
this type of thing,
You can check for modified binaries with tripwire.
If this was a decent hacker or even a script kiddie using a good tool, they
probably would have purged your logs of all evidence.
So either:
a) They are second rate
or
b) They didn't get in
- k
- Original Message -
From: "Alvin Oga" <
Alvin Oga <[EMAIL PROTECTED]> writes:
> hi ya lukas
>
> how did you check for modified binaries ???
>
> if its an upto date deb box... its a failed attempt...
> if its a redhat box...time to go digging...
>
> you have to check the filesize of the binaries... not just the date...
> compared to
Hi,
I use (I would to ...) snort v1.7, but I don't succeed to use the scripts
given on the web site. Has anyone an example to let me understand what to do ?
Best regards
hi ya lukas
how did you check for modified binaries ???
if its an upto date deb box... its a failed attempt...
if its a redhat box...time to go digging...
you have to check the filesize of the binaries... not just the date...
compared to one that you know is NOT compromized...
and if y
You mean like an example rule ?
var ETH0 [your_ip]
alert tcp !192.168.254.0/24 any -> $ETH0 23 (ipopts: rr ; msg: "External request for
telnet";)
like this ?
don't forget this nice option:
preprocessor portscan: your_ext_ip 10 5 /var/log/snort/portscan.log
[On 11 Jul, 2001, Luc MAIG
Hi,
I use (I would to ...) snort v1.7, but I don't succeed to use the scripts
given on the web site. Has anyone an example to let me understand what to do ?
Best regards
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Someone attempted to run the rpc.statd buffer overflow on
you, but it appears to have failed. The reason you see
"/bin/sh" in the log entry is because that's part of the
shellcode of the exploit. The exploit, when successful,
executes /bin/sh on your machine and leaves the attacker
sitting at a r
Someone attempted to run the rpc.statd buffer overflow on
you, but it appears to have failed. The reason you see
"/bin/sh" in the log entry is because that's part of the
shellcode of the exploit. The exploit, when successful,
executes /bin/sh on your machine and leaves the attacker
sitting at a
On Wed, Jul 11, 2001 at 11:42:03AM +0100, Lukas Eppler wrote:
> I have the following entries in /var/log/messages:
>
> Jul 9 01:21:03 blue -- MARK --
> Jul 9 01:21:11 blue
> Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
> ^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1
I have the following entries in /var/log/messages:
Jul 9 01:21:03 blue -- MARK --
Jul 9 01:21:11 blue
Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220
On Wed, Jul 11, 2001 at 11:42:03AM +0100, Lukas Eppler wrote:
> I have the following entries in /var/log/messages:
>
> Jul 9 01:21:03 blue -- MARK --
> Jul 9 01:21:11 blue
> Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
>
>^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%
I have the following entries in /var/log/messages:
Jul 9 01:21:03 blue -- MARK --
Jul 9 01:21:11 blue
Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\22
Well I am not a guru on this subject and did not want to put my nose into that
( well this is my MsD project at the moment ) but as far as I know
impersonation is not the only thing we try to achieve when we are using such
things. We also use one way hash functions to get a value out of our mes
25 matches
Mail list logo