[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intrusion Detection ... After the Fact

On Mon, Dec 25, 2000 at 12:36:26AM -0700, Chris Cameron wrote:
> So due to a lapse in judgement, I think someone used the chpass exploit on
> my box.


> Would a recompiled who, and w along with a packet sniffer on another box
> be enough to tell whether I had been rooted?

Not IMHO.  I would _at least_ put a known-good "ps" on there and look
for odd processes... maybe do the same with fstat as well.  And, scan
the box with nmap.

> I'd usually recomend to other people in my situation to re-install.. But
> doing that cause of over-paranoia would be a shame.

You will have to use your own judgment on this, taking into account how
many private data are on the machine as well as the importance of that
box's security; I would definitely do the re-install though... I think
once it's done you will feel a lot better.  :P