[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] pkg.nl.cobalt - Open SSH
- Subject: Re: [cobalt-users] pkg.nl.cobalt - Open SSH
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Mon Jan 7 09:37:25 2002
- Organization: nobaloney.net
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
SM wrote:
> There isn't a point and click way to find out whether a system has been
> compromised. Keep an eye on the logs, the last logins, the processes which
> are running and the ports which are listening. The person can always alter
> the logs, modify ps to hide what he/she doing. You can do a md5 checksum
> on the system binaries to see whether they have been tampered with.
We had a machine rooted on Saturday. While I watched in fact, but there
wasn't anything I could do about it; it happened too quickly <frown>. I
noticed it when I couldn't get pop email anymore.
EVERY command-line utility was replaced. So you couldn't see anything
wrong if you used them.
I have a copy of the rootkit, it was left on the machine for others to
download <frown>, but I don't think I'm going to give it to anyone.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484