Date: Mon, 18 Dec 2000 14:59:53 -0600 From: Jonathan Fosburgh <syjef@mail.mdanderson.org> To: Tim McMillen <timcm@umich.edu> Cc: "Gerald T. Freymann" <freymann@eagle.ca>, Questions <questions@FreeBSD.ORG> Subject: Re: Hacker history file - OUCH Message-ID: <3A3E7AC9.40306@mail.mdanderson.org> References: <Pine.SOL.4.10.10012181521360.17224-100000@tempest.gpcc.itd.umich.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Tim McMillen wrote: > > Do you know for sure it was an intruder? Or was it just one of > your users? either way that doesn't look good. I'm no security expert, > but the programs they compiled and ran could easily be backdoors to get in > easily the next time. It's hard (for me) to tell how bad it is without > knowing whether they were successful in getting root priveledges. In the > history file we don't see the output of the command. Nothing he did > afterwards seems to require root priveledges, but if he had them then > those programs could easily be backdoors. I would consider the box > compromised. Is it still in use? The best way to get the most > information about an attack is to shutdown and halt the machine ASAP. > Then mount everything read only (perhaps on another machine. Then look > araound. That way you won't overwrite possible clues. Any disk access > after the intruder is there can overwrite that, and that is bad for > evidence. > You may want to contact the administrators at the sites he ftp'd > to to alert them and see if they can tell what those files were that he > downloaded. > > Tim The results of the su ought to be in /var/log/messages. Especially the one to toor. You should either see a success or failure message. Of course, he can only su to toor if the user he was in as is in group wheel. -- Jonathan Fosburgh Open Systems Communications and Computer Services UT MD Anderson Cancer Center Houston, TX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A3E7AC9.40306>