Re: Visited by a cracker

• Previous message: Manuel Arostegui Ramirez: "Re: Visited by a cracker"
• In reply to: Alan Hicks: "Re: Visited by a cracker"
• Next in thread: Alan Hicks: "Re: Visited by a cracker"
• Reply: Alan Hicks: "Re: Visited by a cracker"
• Reply: Christian: "Re: Visited by a cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 13 Jul 2004 11:20:59 -0400 (EDT)
To: Alan Hicks <alan@lizella.net>

Is it at all possible that the cracker tampered his .bash_history and left
it there to fool you?

.arthur

On Sun, 11 Jul 2004, Alan Hicks wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> My first suggestion would be to ask the good people in
> alt.os.linux.slackware for a bit of advice. Specifically I posted this
> recent addendum to the FAQ there:
>
> http://wombat.san-francisco.ca.us/faqomatic/cache/124.html
>
> On Jul 11, 2004, at 10:45 AM, Per Christian B. Viken wrote:
> > Is there anything else I should check out? Anywhere else some nasty
> > exploits
> > or trojans might be hiding? And should I try to find this guy? Or is it
> > probably hopeless?
>
> As mentioned in that article crackers often like to hide binaries in
> strange places so searching /dev /tmp /var/tmp /usr/src/linux et cetera
> isn't just paranoid, it could be a good idea. However in this case I
> don't think you've got that much to worry about. The cracker obviously
> wasn't smart enough to remove his own .bash_history, and probably
> didn't insert that kmod either (I still wouldn't trust modprobe,
> insmod, or that kernel however. A little paranoia never hurt anyone).
> Of course the only way to be 100% certain that you don't have any
> backdoors open is to wipe the box clean and re-install.
>
> Finding the guy is probably hopeless given that all his IPs are in
> other countries (I'm going by the whois info on angryadmin.net here).
> Still, you could give it a shot, and at least alert whoever owns those
> boxen that they have a cracker among their ranks. I'd say as a good
> netizen you have that obligation at least.
>
> - --
>
> It is better to hear the rebuke of the wise,
> Than for a man to hear the song of fools.
> Ecclesiastes 7:5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (Darwin)
>
> iD8DBQFA8d29lKR45I6cfKARAjrZAJ91Q2RiPS0Z9N21H5gDIDcESEWynQCfWert
> oA0psjuIOJNBg1YIQHtVnFc=
> =HDZe
> -----END PGP SIGNATURE-----
>
>
>

• Previous message: Manuel Arostegui Ramirez: "Re: Visited by a cracker"
• In reply to: Alan Hicks: "Re: Visited by a cracker"
• Next in thread: Alan Hicks: "Re: Visited by a cracker"
• Reply: Alan Hicks: "Re: Visited by a cracker"
• Reply: Christian: "Re: Visited by a cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Visited by a cracker ... recent addendum to the FAQ there: ... isn't just paranoid, it could be a good idea. ... Finding the guy is probably hopeless given that all his IPs are in ... boxen that they have a cracker among their ranks. ... (Focus-Linux) RE: Visited by a cracker ... There have been several suggestions to wipe the ... The cracker was given a shell by the administrator. ... > it there to fool you? ... >> isn't just paranoid, it could be a good idea. ... (Focus-Linux) Re: Visited by a cracker ... code, and i know that i use code writen by others, so i dont pretend to be ... I doubt your cracker want you calling him at home to ... > it there to fool you? ... >> isn't just paranoid, it could be a good idea. ... (Focus-Linux) Re: Anthony Mundine ... > Can you just please drop it with all this cracker nonsense! ... Listen up, fool, you may learn something. ... A 'cracker' in my country is a semi-archaic term for a firework, ... (rec.sport.boxing) Re: OT; Billy Grahams wife dies... ... better publicity machine...his pious act certainly didn't fool me. ... He always reminded me of a cracker... ... (rec.food.cooking)