[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intrusion Detection ... After the Fact

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Intrusion Detection ... After the Fact
From: Jim Breton <jamesb-openbsd_(_at_)_alongtheway_(_dot_)_com>
Date: Mon, 25 Dec 2000 14:39:57 +0000
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

On Mon, Dec 25, 2000 at 12:36:26AM -0700, Chris Cameron wrote:
> So due to a lapse in judgement, I think someone used the chpass exploit on
> my box.

:(

> Would a recompiled who, and w along with a packet sniffer on another box
> be enough to tell whether I had been rooted?

Not IMHO.  I would _at least_ put a known-good "ps" on there and look
for odd processes... maybe do the same with fstat as well.  And, scan
the box with nmap.

> I'd usually recomend to other people in my situation to re-install.. But
> doing that cause of over-paranoia would be a shame.

You will have to use your own judgment on this, taking into account how
many private data are on the machine as well as the importance of that
box's security; I would definitely do the re-install though... I think
once it's done you will feel a lot better.  :P

References:
- Intrusion Detection ... After the Fact
  - From: Chris Cameron

Prev by Date: Intrusion Detection ... After the Fact
Next by Date: 2.8 boot floppy hangs at ne3
Previous by thread: Intrusion Detection ... After the Fact
Next by thread: Re: Intrusion Detection ... After the Fact
Index(es):
- Date
- Thread

Visit your host, monkey.org