Date: Tue, 27 Jan 2004 21:42:06 +0100 From: "Remko Lodder" <remko@elvandar.org> To: "Mark Ogden" <ogden@eng.utah.edu>, "Peter Rosa" <prosa@pro.sk> Cc: freebsd-security@freebsd.org Subject: RE: [Freebsd-security] Re: Possible compromise ? Message-ID: <20040127204125.01D0E2B4D8E@mail.evilcoder.org> In-Reply-To: <20040127203109.3C89817@mail.elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
that only works when you are presuming that the host was not hacked already because i would clear those logs when i hacked a system :) but indeed it's a try, If you remain unsure, it is best to reinstall the system to be sure that a fresh and newly updated (yeah update it when installed :)) system is not compromised at that time.. loads of work, but it gives you some relief to know that it's clean. GoodLuck! -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: freebsd-security-bounces@lists.elvandar.org [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Mark Ogden Verzonden: dinsdag 27 januari 2004 21:28 Aan: Peter Rosa CC: freebsd-security@freebsd.org Onderwerp: [Freebsd-security] Re: Possible compromise ? Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > OK, sorry for unclear previous message. > > In the past, one man teached me the FreeBSD basics and also installed my > gateway. In that time, I was not able to install and setup FreeBSD by > myself. He left there some holes - e.g. open virtual consoles, unset > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > and I tried to setup my own firewall, install and setup some programs (with > big help of this and Questions lists, manpages and other books). > > When I tried to setup more security on that system, except other things, I > disabled all virtual tty's, because there is no need to connect to this > machine remotelly (it's located 5 steps from my desk). In the past, that man > connected to my system remotely from various IPs. > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > some connects from remote machines to ttyp0 and ttyp1. take a look at the /var/log/auth.log, it will show you everyone that remote connected and was denied. -Mark >It's impossible for > me to retrieve connection dates from that file. Of course, I read man last, > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > May be, that lines was added in the deep past, when the machine was open. > But may be, it was done in few previous days... > > I know, if my machine was compromised, it is impossible to believe in > anything on that machine (also kernel, sources). So, are there some other > ways to get information about connection dates? > > Peter Rosa > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ Freebsd-security mailing list Freebsd-security@lists.elvandar.org http://lists.elvandar.org/mailman/listinfo/freebsd-security
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040127204125.01D0E2B4D8E>