Re: info

From: W.G. Iyer (guhan777@yahoo.com)
Date: 05/04/02

• Previous message: Gregory Kane: "Unusual Message log contents"
• In reply to: Joe T.: "info"
• Next in thread: Joe T.: "Re: info"
• Next in thread: Michel Arboi: "Re: info"
• Reply: Joe T.: "Re: info"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 3 May 2002 17:27:17 -0700 (PDT)
From: "W.G. Iyer" <guhan777@yahoo.com>
To: "Joe T." <auximini@yahoo.com>, incidents@securityfocus.com

> I would like some opinions, advice, or info on:
> - is there any way to view records? webmin has a
> 'last logon' option, but now that
> /var/log has been blown away, its not working
> right..

The nature of the attack, i.e. box is r00ted indicates
that you cannot trust any of the information
you find with any certainity. With that said, you can
check your /etc/syslog.conf file to see if there are
any log files in a directory other than /var/log. You
can also check services like Apache (httpd.conf) to
see if they logged to a directory other than /var/log.

> - any other recommendations? I'm pretty proficient
> in linux, but this is the first time
> ive ran into a hacked box. from my past reading, i
> know the steps are to try and recover
> any data not malformed and reinstall. any other
> pointers?

If your attacker was sloppy, you may find useful
information in the users history file, .bash_history,
especially those users with uid 0.

If the hacked machine was behind a packet filter, or
there is a sniffer on the line anywhere between the
hacked box and the net, that you have access to, you
can check those logs as well.

Best of luck,
Guhan

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Gregory Kane: "Unusual Message log contents"
• In reply to: Joe T.: "info"
• Next in thread: Joe T.: "Re: info"
• Next in thread: Michel Arboi: "Re: info"
• Reply: Joe T.: "Re: info"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: info ... sshd, wu-ftp, telnet, and every other program that has had a major security bug in the ... Do You Yahoo!? ... Health - your guide to health and wellness ... This list is provided by the SecurityFocus ARIS analyzer service. ... (Incidents) Re: info ... > information in the users history file, .bash_history, ... Do You Yahoo!? ... Health - your guide to health and wellness ... (Incidents) Re: O.T.-Ice Cream ... Best & Worst Ice Cream in AmericaBy David Zinczenko, ... with Matt Goulding a Yahoo! ... medical or health advice, examination, diagnosis, or treatment. ... (rec.music.beatles) Re: Compromised Win2000 machine. ... >> and comparing the open ports to lists of known ... Do You Yahoo!? ... This list is provided by the SecurityFocus ARIS analyzer service. ... (Incidents) RE: Wlan @ bestbuy is cleartext? ... I cant trust ... >> Buy, both large retailers, the benefits of making ... > Do You Yahoo!? ... Health - your guide to health and wellness ... (Vuln-Dev)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-05