Re: Phishing Attempt
- From: goarilla <"kevin DOT paulus AT skynet DOT be">
- Date: Thu, 04 Oct 2007 17:09:21 +0200
On 4 Oct, 00:11, goarilla <"kevin DOT paulus AT skynet DOT be"> wrote:Moe Trin wrote:<snip>On Tue, 02 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<47024555$0$15142$afc38...@xxxxxxxxxxxxxxxxxxxx>, Mark wrote:
Mark wrote:The account home directory contained a simple shell script of just over
a dozen lines I can't see what it's doing there.
little question: are you implying chkrootkit and rkhunter are well ...
and totally unnecessary as security tools ?
i'm curious that's all
Useful tools but not in the same class for compromise recovery as a
host based IDS.
i would recommend to take an image of the system and sent it to
a computer security group like the FBI or something (i don't know where
Well he's posting in Australia which might be considered to be a bit
of a clue.
...and I suspect you've never raised such an incident with a law
enforcement agency. Certainly the FBI won't touch it unless you can
prove a certain level of damages (50K USD IIRC) and at least part of
the attack was carried out on US soil.
well ... here in belgium
there is no limit set on damages in case of an attack
the hacker doesn't seem to be very skilled but do some more exploring
before concluding this
No - unless this really represents a significant loss, and in the
absence of a host based IDS, the quickest route back to a normal
service is to scrap it and start from a fresh install, carefully
auditing any config/executable restored from backup.
In fact this should be the first thing you should do since then you
could determine if
setting up this system as a honeypot has any merit. If there is evidence
of tampering with system tools
Just because they haven't covered their trails here doesn't mean
they've not done a better job elsewhere.