From owner-freebsd-security  Fri Dec  1  6:39: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8955F37B400; Fri,  1 Dec 2000 06:39:07 -0800 (PST)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA26320;
	Fri, 1 Dec 2000 06:38:43 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda26318; Fri Dec  1 06:38:36 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eB1EcU315944;
	Fri, 1 Dec 2000 06:38:30 -0800 (PST)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdz15942; Fri Dec  1 06:38:17 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.1/8.9.1) id eB1EcHO47163;
	Fri, 1 Dec 2000 06:38:17 -0800 (PST)
Message-Id: <200012011438.eB1EcHO47163@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdZ47159; Fri Dec  1 06:37:45 2000
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.2-RELEASE
X-Sender: cy
To: mwlucas@exceptionet.com
Cc: scrappy@hub.org (The Hermit Hacker), kris@FreeBSD.ORG,
	sriva@gufi.org, security@FreeBSD.ORG
Subject: IDS (was: Re: FreeBSD hacked?) 
In-reply-to: Your message of "Thu, 30 Nov 2000 12:32:41 EST."
             <200011301732.MAA08853@easeway.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 01 Dec 2000 06:37:44 -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <200011301732.MAA08853@easeway.com>, mwlucas@exceptionet.com 
writes:
> [picking this message to respond to in general, not you in particular]
> Besides, the hackers *claim* it was a "harmless" intrusion.  Kris must be
> going nuts finding out what else was changed, or confirming nothing else
> was.  We've all been there. 
> 
> IIRC, Freefall's been rooted before.  It'll probably be rooted again.  A
> security admin's job sucks, but life goes on. 

An IDS like tripwire or aide will help in this department.  Of course 
there are limitations, e.g. rootkits that install themselves as kernel 
mods, and there extra things that need to be done to improve tripwire's 
or aide's ability to withstand database corruption, but it is better 
than doing nothing at all.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message