> >I just happened to
> >do a ps axu and a bunch of odd processes showed up. I cold booted the
> >computer and then found a .bash_history in the / directory.
> But your hypothesis that this represents the extent of your intruder's actions
> is unsupported as far as you've stated. They may have done all sorts of
> things, and you've just seen a few of them. Maybe.
> >You might want to look for something like that.
> Absolutely. But you should take it with a grain of salt, and you should take
> it as a lower bound of their activities, not as a complete list.
> (And it could even be fabricated entirely.)
I also found an intruder last week in our RedHat 5.0. The traces were
in /var/log/secure and /var/log/messages, which record connections to
telnet and also other services. I also found .bash_history in /root
and also from /tmp, where the intruder had set up the home directory
for a new account 'bomb'. I think the history-logs and the other logs
shared a very common view of what really had happened. It seemed very
obvious that the guy had used a documented security hole in imapd
(www.redhat.com somewhere). And I was a little surprised that the
traces hadn't been touched. Not all intruders know they should try to
remove their traces, it seems...
I think secure-log is made by tcp_wrappers, which seems to installed
on my RH. This is a very usefuil package, after you make a
'grep'-script which filter out all connections from known hosts. One
could perhaps watch the 'secure-log' automatically to give an alarm
each time a suspicious connection is made.
Quote:> As far as possible, computer security should be based on guarantees rather
> than guesswork. Deciding that an intruder did or did not do a particular
> thing or replace a particular program is rarely safe once they've obtained
> root access. The guarantee can only be based on reinstalling from scratch.
> Win95 users have to reinstall the OS every few days; we only do after a
> thorough penetration; it could be worse.
One could of course use find to look for files that have been changed
during the suspicious logins...
BTW: Is it wise to discuss the details here, I suppose many hackers
read this newsgroup as well?