Re: Phishing Attempt

C. wrote:
On 4 Oct, 00:11, goarilla <"kevin DOT paulus AT skynet DOT be"> wrote:
Moe Trin wrote:
On Tue, 02 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<47024555$0$15142$afc38...@xxxxxxxxxxxxxxxxxxxx>, Mark wrote:
Mark wrote:
The account home directory contained a simple shell script of just over
a dozen lines I can't see what it's doing there.
<snip>
little question: are you implying chkrootkit and rkhunter are well ...
snakeoil
and totally unnecessary as security tools ?
i'm curious that's all


Useful tools but not in the same class for compromise recovery as a
host based IDS.

i would recommend to take an image of the system and sent it to
a computer security group like the FBI or something (i don't know where
you're from)

Well he's posting in Australia which might be considered to be a bit
of a clue.

...and I suspect you've never raised such an incident with a law
enforcement agency. Certainly the FBI won't touch it unless you can
prove a certain level of damages (50K USD IIRC) and at least part of
the attack was carried out on US soil.


well ... here in belgium
there is no limit set on damages in case of an attack

the hacker doesn't seem to be very skilled but do some more exploring
before concluding this

No - unless this really represents a significant loss, and in the
absence of a host based IDS, the quickest route back to a normal
service is to scrap it and start from a fresh install, carefully
auditing any config/executable restored from backup.

In fact this should be the first thing you should do since then you
could determine if
setting up this system as a honeypot has any merit. If there is evidence
of tampering with system tools

Just because they haven't covered their trails here doesn't mean
they've not done a better job elsewhere.

C.


true
.

Relevant Pages