> > Besides checking the standard /var/log/messages log, are there any > > suggestions as to where I should check for possible breaches > > in this individual's system? > > i'd check the integrity of the installed rpms: > > [jon@devotchka jon]$ for i in `rpm -qa`; do rpm -V $i; done I wouldn't trust the RPM database on the system to tell you the truth, as it could be modified easily just like the original programs. Better to check against the original CD-ROM and/or a trusted archive. I have the basics of how to do this in: http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq > i'd also look for recent additions in /dev (which seems to be the > directory of choice for rootkits): > > [jon@devotchka /dev]$ ls -tla|more Being the "directory of choice" means its best to chose another directory, so someone suggesting "/dev is the place to look" will be fooled. I've seen UUCP spool directories, catman directories, termcap directories, /var/log directories... The best place to hide something is where you don't expect someone to look for it. See also: http://project.honeynet.org/challenge/results/ > ...outdated software run by an inexperienced admin. not a particularly hard > target from a script kiddie pov. then again, maybe you'll find the > fabled openssh2 remote exploit... If you do, send it my way. ;) -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 15:48:51 PST