Re: possible compromise or just misreading logs

From: Lewis Watson (lists_at_visionsix.com)
Date: 12/07/03

  • Next message: Roger Marquis: "Re: possible compromise or just misreading logs"
    To: "Craig Riter" <criter@riter.com>, <freebsd-security@freebsd.org>
    Date: Sun, 7 Dec 2003 11:25:38 -0600
    
    

    > So, my question is did I have a break-in? This machine is accessable
    only
    > as a web server through NAT and ipfw (if I configed my ipfw correctly).
    I
    > had just installed the Apache 1.3.29.
    >
    > Second, what are people using for intrusion detection? This is
    something I
    > have thought about but never really thought I needed until now.

    Hi Craig,
    Are you sure that you did not install any of the ports around this time?
    Usually you would see this type activity when a program is installed. You
    should probably do a ps aux and sockstat -4 to see what is running and
    open.

    There are two programs that I am familiar with to monitor changes..
    chkrootkit and tripwire. Chkrootkit is trivial to install but tripwire is
    a much more complete package.

    I am sure there are others here that can provide much more insight to
    this.
    Thanks.
    Lewis

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Roger Marquis: "Re: possible compromise or just misreading logs"