Re: chkroot warning
From: Gandalf Parker (gandalf_at_most.of.my.favorite.sites)
Date: 08/06/04
- Previous message: alex: "PAM + CUPS not copperating :-("
- In reply to: Tim Haynes: "Re: chkroot warning"
- Next in thread: Chris: "Re: chkroot warning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 06 Aug 2004 15:57:40 GMT
Tim Haynes <usenet-20040806@stirfried.vegetable.org.uk> wrote in
news:86r7qk1wk6.fsf@potato.vegetable.org.uk:
> Gandalf Parker <gandalf@most.of.my.favorite.sites> writes:
>
>> "Rafal 'Raf256' Maj" <spam@raf256.com> wrote in
>> news:Xns953D21D273F88raf256com@213.180.128.20:
>>
>>> Anyway, if this is _realy_ an attack taking place *right now* You
>>> shold perhaps turn off computer power (try not to ue any HDD's to
>>> avoid file system corruption) - by pluging out the power cable.
>>
>> Yanking the network cable to take it off the net works as well and
>> avoids the file corruption problem
>
> Either way it would tell a potential cracker you're onto them, and you
> won't be able to debug anything while you're switched-off, nor will
> you see viable network traffic if you sniff the device. So all in all,
> the "yank it out the wall" approach really is a crap idea.
Agreed. Personally I love doing online forensics of a cracked box. The
dangers arent nearly as great as the possible fun and learning. But thats
just my opinion. The standard plague response of "destroy everything and
start over" is probably the best answer for anyone who would be coming
here to ask what to do.
If you want to learn on the subject, run a honeypot. Although there has
been a huge drop in what you can get with one.
Gandalf Parker
-- A popular package might mean its good but it doesnt mean its secure.
In fact, quite the opposite.
- Previous message: alex: "PAM + CUPS not copperating :-("
- In reply to: Tim Haynes: "Re: chkroot warning"
- Next in thread: Chris: "Re: chkroot warning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
