Date: Sun, 7 Dec 2003 11:25:38 -0600 From: "Lewis Watson" <lists@visionsix.com> To: "Craig Riter" <criter@riter.com>, <freebsd-security@freebsd.org> Subject: Re: possible compromise or just misreading logs Message-ID: <001301c3bce7$217419b0$df0a0a0a@visionsix.net> References: <000b01c3bce5$a411f9c0$65ffa8c0@EOS>
next in thread | previous in thread | raw e-mail | index | archive | help
> So, my question is did I have a break-in? This machine is accessable only > as a web server through NAT and ipfw (if I configed my ipfw correctly). I > had just installed the Apache 1.3.29. > > Second, what are people using for intrusion detection? This is something I > have thought about but never really thought I needed until now. Hi Craig, Are you sure that you did not install any of the ports around this time? Usually you would see this type activity when a program is installed. You should probably do a ps aux and sockstat -4 to see what is running and open. There are two programs that I am familiar with to monitor changes.. chkrootkit and tripwire. Chkrootkit is trivial to install but tripwire is a much more complete package. I am sure there are others here that can provide much more insight to this. Thanks. Lewis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301c3bce7$217419b0$df0a0a0a>