Re: [cobalt-users] tripwire

["Toby Miller" <tobymiller@xxxxxxxx>]

> Actually this is NOT true. You are supposed to define what directories
> tripwire monitors. You point it to portions of your server that contain
> binary files such as /bin /sbin/ /usr this is where a hacker is going to
do
> things, not in a users web directory so the fact that those directories
> change won't affect tripwire.......<snip>

This is, actually, also not totally true.   I have witnessed several recent
attacks on one of my customers servers.   The hacker did not touch any of
the server's binaries.  So tripwire monitoring of the /bin and system
directories would have been worthless.  The hacker used a rouge perl program
to e-mail himself the password file.  Once he had the password file cracked,
he then used one of the regular hosting accounts to upload several compiled
C++ programs into the hosting accounts cgi directory.  These C++ programs
were used to carry out DDoS and IP Bombing attacks on other larger servers
and ISPs.  No actual damage was done to the server itself, it was just used
as a launching point for attacks against other systems.   The actual damage
came when the ISPs and other sites that were attacked sourced it back to
their server.

The only way that tripwire could have been completely effective (in this
case) would be for it to be monitoring all directories.   However, as
previously stated, tripwire monitoring of an active hosting server would be
very tedious.   Point is, no ONE tool can solve all problems.  Maybe a
combo? Tripwire monitoring of /bin directories in conjuction with packet
sniffers, etc...?

Regards,

Toby Miller