[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Intrusion Detection ... After the Fact
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Intrusion Detection ... After the Fact
- From: Jim Breton <jamesb-openbsd_(_at_)_alongtheway_(_dot_)_com>
- Date: Mon, 25 Dec 2000 14:39:57 +0000
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
On Mon, Dec 25, 2000 at 12:36:26AM -0700, Chris Cameron wrote:
> So due to a lapse in judgement, I think someone used the chpass exploit on
> my box.
> Would a recompiled who, and w along with a packet sniffer on another box
> be enough to tell whether I had been rooted?
Not IMHO. I would _at least_ put a known-good "ps" on there and look
for odd processes... maybe do the same with fstat as well. And, scan
the box with nmap.
> I'd usually recomend to other people in my situation to re-install.. But
> doing that cause of over-paranoia would be a shame.
You will have to use your own judgment on this, taking into account how
many private data are on the machine as well as the importance of that
box's security; I would definitely do the re-install though... I think
once it's done you will feel a lot better. :P