Re: SSH Attempts: Link to RedHat?
From: Dave Dittrich (dittrich@cac.washington.edu)Date: 12/18/01
- Previous message: Erik Fichtner: "Re: wanadoo.fr's ip blocks"
- In reply to: jon schatz: "Re: SSH Attempts: Link to RedHat?"
- Next in thread: Holger van Lengerich (paderLinx GmbH): "Re: SSH Attempts: Link to RedHat?"
- Next in thread: Montz, James C. (James Tower): "RE: SSH Attempts: Link to RedHat?"
- Reply: Holger van Lengerich (paderLinx GmbH): "Re: SSH Attempts: Link to RedHat?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Dec 2001 14:31:17 -0800 (PST) From: Dave Dittrich <dittrich@cac.washington.edu> To: jon schatz <jon@divisionbyzero.com>
> > Besides checking the standard /var/log/messages log, are there any
> > suggestions as to where I should check for possible breaches
> > in this individual's system?
>
> i'd check the integrity of the installed rpms:
>
> [jon@devotchka jon]$ for i in `rpm -qa`; do rpm -V $i; done
I wouldn't trust the RPM database on the system to tell you the truth,
as it could be modified easily just like the original programs.
Better to check against the original CD-ROM and/or a trusted archive.
I have the basics of how to do this in:
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
> i'd also look for recent additions in /dev (which seems to be the
> directory of choice for rootkits):
>
> [jon@devotchka /dev]$ ls -tla|more
Being the "directory of choice" means its best to chose another
directory, so someone suggesting "/dev is the place to look" will be
fooled. I've seen UUCP spool directories, catman directories,
termcap directories, /var/log directories... The best place to hide
something is where you don't expect someone to look for it. See
also:
http://project.honeynet.org/challenge/results/
> ...outdated software run by an inexperienced admin. not a particularly hard
> target from a script kiddie pov. then again, maybe you'll find the
> fabled openssh2 remote exploit...
If you do, send it my way. ;)
-- Dave Dittrich Computing & Communications dittrich@cac.washington.edu University Computing Services http://staff.washington.edu/dittrich University of WashingtonPGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Erik Fichtner: "Re: wanadoo.fr's ip blocks"
- In reply to: jon schatz: "Re: SSH Attempts: Link to RedHat?"
- Next in thread: Holger van Lengerich (paderLinx GmbH): "Re: SSH Attempts: Link to RedHat?"
- Next in thread: Montz, James C. (James Tower): "RE: SSH Attempts: Link to RedHat?"
- Reply: Holger van Lengerich (paderLinx GmbH): "Re: SSH Attempts: Link to RedHat?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
