Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jan 2004 21:46:14 +0100
From:      "Peter Rosa" <prosa@pro.sk>
To:        "Remko Lodder" <remko@elvandar.org>, "Mark Ogden" <ogden@eng.utah.edu>
Cc:        freebsd-security@freebsd.org
Subject:   Re: [Freebsd-security] Re: Possible compromise ?
Message-ID:  <00d401c3e516$9afe3ca0$3501a8c0@peter>
References:  <20040127204125.01D0E2B4D8E@mail.evilcoder.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Yes, but it is the way I wouldn't like to go. Because of sooo much time :-(

PR


----- Original Message ----- 
From: "Remko Lodder" <remko@elvandar.org>
To: "Mark Ogden" <ogden@eng.utah.edu>; "Peter Rosa" <prosa@pro.sk>
Cc: <freebsd-security@freebsd.org>
Sent: Tuesday, January 27, 2004 9:42 PM
Subject: RE: [Freebsd-security] Re: Possible compromise ?


> that only works when you are presuming that the host was not hacked
already
> because i would clear those logs when i hacked a system :)
>
> but indeed it's a try,
>
> If you remain unsure, it is best to reinstall the system to be sure that a
> fresh
> and newly updated (yeah update it when installed :)) system is not
> compromised at that
> time..
>
> loads of work, but it gives you some relief to know that it's clean.
>
> GoodLuck!
>
> --
>
> Kind regards,
>
> Remko Lodder
> Elvandar.org/DSINet.org
> www.mostly-harmless.nl Dutch community for helping newcomers on the
> hackerscene
>
> -----Oorspronkelijk bericht-----
> Van: freebsd-security-bounces@lists.elvandar.org
> [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Mark Ogden
> Verzonden: dinsdag 27 januari 2004 21:28
> Aan: Peter Rosa
> CC: freebsd-security@freebsd.org
> Onderwerp: [Freebsd-security] Re: Possible compromise ?
>
>
> Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote:
> > OK, sorry for unclear previous message.
> >
> > In the past, one man teached me the FreeBSD basics and also installed my
> > gateway. In that time, I was not able to install and setup FreeBSD by
> > myself. He left there some holes - e.g. open virtual consoles, unset
> > firewall, etc. As the time went, I learned a lot about Unixes and
FreeBSD
> > and I tried to setup my own firewall, install and setup some programs
> (with
> > big help of this and Questions lists, manpages and other books).
> >
> > When I tried to setup more security on that system, except other things,
I
> > disabled all virtual tty's, because there is no need to connect to this
> > machine remotelly (it's located 5 steps from my desk). In the past, that
> man
> > connected to my system remotely from various IPs.
> >
> > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can
> read
> > some connects from remote machines to ttyp0 and ttyp1.
>
> take a look at the /var/log/auth.log, it will show you everyone that
> remote connected and was denied.
>
> -Mark
>
> >It's impossible for
> > me to retrieve connection dates from that file. Of course, I read man
> last,
> > man wtmp, etc., but there is nothing about /var/log/lastlog file.
> >
> > May be, that lines was added in the deep past, when the machine was
open.
> > But may be, it was done in few previous days...
> >
> > I know, if my machine was compromised, it is impossible to believe in
> > anything on that machine (also kernel, sources). So, are there some
other
> > ways to get information about connection dates?
> >
> > Peter Rosa
> >
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to
> "freebsd-security-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
> _______________________________________________
> Freebsd-security mailing list
> Freebsd-security@lists.elvandar.org
> http://lists.elvandar.org/mailman/listinfo/freebsd-security
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00d401c3e516$9afe3ca0$3501a8c0>