Re: Got Cracked?

On Mon, 26 Feb 2001, Karl J. Runge wrote: > I've always just done this on my firewall and roaming laptops myself > with filtering rules on the internet-side interface. (i.e. by writing a > shell script that repeatedly calls ipfwadm or ipchains to setup the > rules) >>snip<< > I believe I have hea

Re: Got Cracked?

Hi Ken, On Mon, 26 Feb 2001, Rodent of Unusual Size <[EMAIL PROTECTED]> wrote: > "Karl J. Runge" wrote: > > > > BUT, you also gotta block and/or shutdown RPC services. E.g. > > rpc.nfsd, rpc.statd, rpc.mountd. We usually think of these > > as UDP services, but there are often TCP counterparts.

Re: Got Cracked?

On Mon, 26 Feb 2001, Rodent of Unusual Size wrote: >> BUT, you also gotta block and/or shutdown RPC services. > > Any how-to pointers available? Do you want to protect or simply shut down RPC services? (The former is significantly more complex.) Are you using a seperate firewall, with no se

Re: Got Cracked?

"Karl J. Runge" wrote: > > BUT, you also gotta block and/or shutdown RPC services. E.g. > rpc.nfsd, rpc.statd, rpc.mountd. We usually think of these > as UDP services, but there are often TCP counterparts. > Regardless, they are not protected by /etc/hosts.deny !!! > Run rpcinfo -p to see the lis

Re: Got Cracked?

On Sun, 11 Feb 2001, you wrote: > I have to say it: If that is *ALL* that you have in your logs, then you > are either really lucky, or not logging enough. I average 15-20 port > scans a day, plus various blind connection attempts, DoS attack > attempts, buffer overflow attempts, etc. I would kill

Re: Got Cracked?

On Sun, 11 Feb 2001, Kenneth E. Lussier wrote: > I average 15-20 port scans a day, plus various blind connection attempts, > DoS attack attempts, buffer overflow attempts, etc. I would kill to only > have two failed connections in two days ;-) I think I see just as many misconfigurations as I d

Re: Got Cracked?

Actually - probably a little of both. The system has been up in Linux for a total of (maybe) 4 hours over the past week as all the children (and wife) have had projects, tax programs, etc. to play with. I probably should go back and check to see what I really am logging though. I upgraded to 6.

Re: Got Cracked?

$*@^#*&^(@ missing reply-to.. }-( -- #kenP-)} Ken Coar Apache Software Foundation "Apache Server for Dummies" "Apache Server Unleashed" "Kenneth E. Lussier" wro

Re: Got Cracked?

Charles Farinella wrote: > On Sun, 11 Feb 2001, David L. Roberts wrote: > > > Made me look... > > > > I just noticed a little activity the past few days as well (my > > system is up in M$ most of the time as I'm about the only one who > > runs Linux here) - found these in the logs: > > I also fou

Re: Got Cracked?

On Sun, 11 Feb 2001, "David L. Roberts" <[EMAIL PROTECTED]> wrote: > > Made me look... > > I just noticed a little activity the past few days as well (my > system is up in M$ most of the time as I'm about the only one who > runs Linux here) - found these in the logs: > > Feb 9 20:46:09 ria i

Re: Got Cracked?

On Sun, 11 Feb 2001, David L. Roberts wrote: > Made me look... > > I just noticed a little activity the past few days as well (my > system is up in M$ most of the time as I'm about the only one who > runs Linux here) - found these in the logs: I also found this (3 times actually): Feb 7 14:52:

Re: Got Cracked?

I have to say it: If that is *ALL* that you have in your logs, then you are either really lucky, or not logging enough. I average 15-20 port scans a day, plus various blind connection attempts, DoS attack attempts, buffer overflow attempts, etc. I would kill to only have two failed connections in

Re: Got Cracked?

This is the primary function of honeypot's. People set up system that are just average, ordinary systems, for the sole purpose of being compromised. They build special functionalty in so that logs are kept on a different system, there are keystroke captures running, and other types of information

Re: Got Cracked?

"Kenneth E. Lussier" wrote: > > There are many diiferent root kits out there, and there are a > bunch of different tools to detect them. Check out PacketStorm > (http://packetstorm.securify.com). One common thread is that > almost all root kits need to be compiled on the system that they > are in

Re: Got Cracked?

There are many diiferent root kits out there, and there are a bunch of different tools to detect them. Check out PacketStorm (http://packetstorm.securify.com). One common thread is that almost all root kits need to be compiled on the system that they are installed on. Look for binaries with dates

Re: Got Cracked?

>Well folks if you've ever wondered what might happen >if you go online before securing a new installation >check this out from my /var/logs/messages... Cool. How did you discover this slimebag? Would he have have remained undetected for longer if he'd bothered to delete those entries in /va

RE: Got Cracked?

BTW: Before I dip this disk in Lysol, could someone tell ne how to look for a root kit ? If there is one here I'd like to see it. Thanks -- There's no such thing as a "pretty good" alligator wrestler. [EMAIL PROTECTED] Tom Rauschenbach

Re: Got Cracked?

Tom, Could you please mention what distro you're running, and what version of the nfs-utils package you have installed? Thanks -- Derek Martin [EMAIL PROTECTED] ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with t

Re: Got Cracked?

Tom, I'm sorry to see that you got cracked, but I wanted to thank you for posting it. I think that it makes for a good study to see this sort of thing in practical terms. I'd also like to suggest that you might want to submit this to GIAC (SANS Global Incident Analysis Center http://ww

Got Cracked?

Well folks if you've ever wondered what might happen if you go online before securing a new installation check this out from my /var/logs/messages... My comments start with /* I've wrapped the long lines from the log /* First a buffer overflow exploit. Feb 10 20:07:10 localhost rpc.st