RE: Keylogger Needed Quick!

From: Tom Kapanka (tomat_private)
Date: Thu Mar 14 2002 - 15:06:54 PST

Next message: eaxat_private: "Question about HTTP DDOS attacks."

Previous message: METE.EMINAGAOGLUat_private: "RE: A new hack tool - tcp port 3139 ?"
In reply to: Tom Kapanka: "Keylogger Needed Quick!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey thanks everyone for the files and suggestions...we quickly learned that
a trojaned ssh had been capturing pws...booo.  So, we found the sk 'sucKit'
rootkit installed, used it's own uninstall routines to remove it.
Unfortunately s/he was in for a bit of time before we caught on so the logs
had rotated away :( not much to traceback through.  Our question is, what
was the point of entry?  The destination was /tmp, of course.

No PHP/MySQL installed
Possible Insecure/Expolited CGI
Possible internal
Possible sniffed/guessed/bruteforced pop3/ftp pwd = ssh pwd
Possible incidental pwd capture from one of our users ssh-ing to us from a
compromised server.

Lesson learned:

Despite the enormous volumes of information regarding the security status of
your boxen that pass before your eyes, and no matter how much you distill it
before it reaches you, you will still miss important things because there's
just So Much.

I never did install the keylogger, we figured it out and shut it down.

Thank you all and goodnight.

> -----Original Message-----
> Sent: Monday, March 11, 2002 4:01 PM
> To: forensicsat_private; incidentsat_private
> Subject: Keylogger Needed Quick!
>
>
> We got a intruder cornered and need to install a keylogger quick!  Anyone
> got a good one that I can drop in real easy and quiet-like to nab
> this guy?
> He comes in right around the same time and that time draws near.
>
> OS: RedHat Linux 7.1
>
> I was confused by the ones listed at PacketStorm, most of them are for
> Windoze.  Any help getting this installed would be appreciated!
>
> -t
>
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: eaxat_private: "Question about HTTP DDOS attacks."
Previous message: METE.EMINAGAOGLUat_private: "RE: A new hack tool - tcp port 3139 ?"
In reply to: Tom Kapanka: "Keylogger Needed Quick!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 17 2002 - 05:05:21 PST