Re: Phishing Attempt

On 4 Oct, 00:11, goarilla <"kevin DOT paulus AT skynet DOT be"> wrote:
Moe Trin wrote:
On Tue, 02 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<47024555$0$15142$afc38...@xxxxxxxxxxxxxxxxxxxx>, Mark wrote:

Mark wrote:

The account home directory contained a simple shell script of just over
a dozen lines I can't see what it's doing there.
<snip>

little question: are you implying chkrootkit and rkhunter are well ...
snakeoil
and totally unnecessary as security tools ?
i'm curious that's all


Useful tools but not in the same class for compromise recovery as a
host based IDS.


i would recommend to take an image of the system and sent it to
a computer security group like the FBI or something (i don't know where
you're from)

Well he's posting in Australia which might be considered to be a bit
of a clue.

....and I suspect you've never raised such an incident with a law
enforcement agency. Certainly the FBI won't touch it unless you can
prove a certain level of damages (50K USD IIRC) and at least part of
the attack was carried out on US soil.

the hacker doesn't seem to be very skilled but do some more exploring
before concluding this

No - unless this really represents a significant loss, and in the
absence of a host based IDS, the quickest route back to a normal
service is to scrap it and start from a fresh install, carefully
auditing any config/executable restored from backup.


In fact this should be the first thing you should do since then you
could determine if
setting up this system as a honeypot has any merit. If there is evidence
of tampering with system tools

Just because they haven't covered their trails here doesn't mean
they've not done a better job elsewhere.

C.

.

Relevant Pages

  • Re: Host based IDS methodology and testing
    ... Host based IDS methodology and testing ... >Any production experience with any of the above products, ... Time delays in reporting alerts are often very dependent on the ...
    (Focus-IDS)
  • RE: Host based IDS methodology and testing
    ... I've successfully deployed Snort as a HIDS on a number of production servers ... Host based IDS methodology and testing ...
    (Focus-IDS)
  • Re: IDS is dead, etc
    ... > wouldn't call 'em an IDS, I think they're something different, much ... the host. ... Ensure Reliable Performance of Mission Critical Applications ... Precisely Define and Implement Network Security and Performance Policies ...
    (Focus-IDS)
  • [fw-wiz] Corporate H/N IPS
    ... Two new categories will be Host and Network Intrusion Prevention Systems, ... IDS, they actively block traffic deemed as malicious, almost like a firewall ... previous names for a HIPS have included Network Node IDS ...
    (Firewall-Wizards)
  • H/N IPS -what is there?
    ... Prevention Systems it seemed appropriate ... Two new categories will be Host and Network Intrusion Prevention Systems, ... IDS, they actively block traffic deemed as malicious, almost like a firewall ... A HIPS will block an attack aimed at the Host upon which it is ...
    (Focus-IDS)