Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 May 2000 14:15:33 -0700
From:      Peter Wemm <peter@netplex.com.au>
To:        Alfred Perlstein <bright@wintelcom.net>
Cc:        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Paul Hart <hart@iserver.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: envy.vuurwerk.nl daily run output 
Message-ID:  <20000511211533.0C8361CD7@overcee.netplex.com.au>
In-Reply-To: Message from Alfred Perlstein <bright@wintelcom.net>  of "Thu, 11 May 2000 09:55:13 PDT." <20000511095512.D4889@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Alfred Perlstein wrote:
> * Garrett Wollman <wollman@khavrinen.lcs.mit.edu> [000511 09:46] wrote:
> > <<On Thu, 11 May 2000 10:03:38 -0600 (MDT), Paul Hart <hart@iserver.com> sa
    id:
> > 
> > > If I can root your box, what's to stop me from falsifying the
> > > reference data in /var used by /etc/security to detect system
> > > changes?
> > 
> > Stupidity and inexperience.
> 
> That and chflags. :)
> 
> > Also, not all break-ins result in root compromise.
> 
> Most I've seen lately result in pretty hysterical /root/.bash_history
> files. :)

Something along the lines of 'chflags uappnd,uunlnk .bash_history'  (or
system if it's root) can cause hours of fun and joy reading the history
after the event..  Sheer panic sets in pretty quickly, and then they start
looking to see what incriminating evidence they've left behind...

It has in the past turned out to be an invaluable source of clues and hints
as to what the state of the art is with the script kiddies.  Usually you
can tip off a few dozen other exploited sites as well.

``script kiddies'' usually leave a trail lit up with lights and it can be
quite entertaining to see what they've tried out of ignorance.  A
professional is another thing though.

Cheers,
-Peter
--
Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au
"All of this is for nothing if we don't go to the stars" - JMS/B5



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000511211533.0C8361CD7>