Re: info

From: W.G. Iyer (guhan777@yahoo.com)
Date: 05/04/02


Date: Fri, 3 May 2002 17:27:17 -0700 (PDT)
From: "W.G. Iyer" <guhan777@yahoo.com>
To: "Joe T." <auximini@yahoo.com>, incidents@securityfocus.com


> I would like some opinions, advice, or info on:
> - is there any way to view records? webmin has a
> 'last logon' option, but now that
> /var/log has been blown away, its not working
> right..

The nature of the attack, i.e. box is r00ted indicates
that you cannot trust any of the information
you find with any certainity. With that said, you can
check your /etc/syslog.conf file to see if there are
any log files in a directory other than /var/log. You
can also check services like Apache (httpd.conf) to
see if they logged to a directory other than /var/log.

> - any other recommendations? I'm pretty proficient
> in linux, but this is the first time
> ive ran into a hacked box. from my past reading, i
> know the steps are to try and recover
> any data not malformed and reinstall. any other
> pointers?

If your attacker was sloppy, you may find useful
information in the users history file, .bash_history,
especially those users with uid 0.

If the hacked machine was behind a packet filter, or
there is a sniffer on the line anywhere between the
hacked box and the net, that you have access to, you
can check those logs as well.

Best of luck,
Guhan

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: info
    ... sshd, wu-ftp, telnet, and every other program that has had a major security bug in the ... Do You Yahoo!? ... Health - your guide to health and wellness ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • Re: info
    ... > information in the users history file, .bash_history, ... Do You Yahoo!? ... Health - your guide to health and wellness ...
    (Incidents)
  • Re: O.T.-Ice Cream
    ... Best & Worst Ice Cream in AmericaBy David Zinczenko, ... with Matt Goulding a Yahoo! ... medical or health advice, examination, diagnosis, or treatment. ...
    (rec.music.beatles)
  • RE: Wlan @ bestbuy is cleartext?
    ... I cant trust ... >> Buy, both large retailers, the benefits of making ... > Do You Yahoo!? ... Health - your guide to health and wellness ...
    (Vuln-Dev)
  • Re: Compromised Win2000 machine.
    ... >> and comparing the open ports to lists of known ... Do You Yahoo!? ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)