Re: possible compromise or just misreading logs

From: Lewis Watson (lists_at_visionsix.com)
Date: 12/07/03

  • Next message: Roger Marquis: "Re: possible compromise or just misreading logs"
    To: "Craig Riter" <criter@riter.com>, <freebsd-security@freebsd.org>
    Date: Sun, 7 Dec 2003 11:25:38 -0600
    
    

    > So, my question is did I have a break-in? This machine is accessable
    only
    > as a web server through NAT and ipfw (if I configed my ipfw correctly).
    I
    > had just installed the Apache 1.3.29.
    >
    > Second, what are people using for intrusion detection? This is
    something I
    > have thought about but never really thought I needed until now.

    Hi Craig,
    Are you sure that you did not install any of the ports around this time?
    Usually you would see this type activity when a program is installed. You
    should probably do a ps aux and sockstat -4 to see what is running and
    open.

    There are two programs that I am familiar with to monitor changes..
    chkrootkit and tripwire. Chkrootkit is trivial to install but tripwire is
    a much more complete package.

    I am sure there are others here that can provide much more insight to
    this.
    Thanks.
    Lewis

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Roger Marquis: "Re: possible compromise or just misreading logs"

    Relevant Pages

    • Re: Checking for rootkits
      ... Change the standard file attributes on the md5 file before setting the ... >checks for rootkits on your Linux/BSD/Solaris install. ... >chkrootkit, while also authenticating the validity of the chkrootkit ... It uses the Digest::MD5 perl module to ...
      (Security-Basics)
    • Re: firewalls, connecting, config & apachetoolbox (was: Re: BigApache [..])
      ... An email this long with multiple questions in it forces someone to read ... I have ipfw loaded okay. ... "HeadParser" packages for perl in the ports collection and install them ... program to check for media in the drive and mount it if available. ...
      (freebsd-questions)
    • Re: Checking for rootkits
      ... Create a chkrootkit server. ... >> dc0 is not promisc ... >> test' and 'make install'. ... >> This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • [Fwd: Re: [Fwd: Re: [Fwd: Vserver Chkrootkit result: SIGINVISIBLE Adore found]]]
      ... I install in the new Debian stable "sarge": ... #vserver vs1 start ... ii chkrootkit 0.44-2 Checks for signs of rootkits on the local system ...
      (Debian-User)
    • Checking for rootkits
      ... started using chkrootkit, a utility that checks ... for rootkits on your Linux/BSD/Solaris install. ... Copy the binaries to a standard system bin ... we want to modify the md5 ...
      (Incidents)