Re: info

From: W.G. Iyer (guhan777at_private)
Date: Fri May 03 2002 - 17:27:17 PDT

  • Next message: Michel Arboi: "Re: info"

    > I would like some opinions, advice, or info on:
    > - is there any way to view records? webmin has a
    > 'last logon' option, but now that
    > /var/log has been blown away, its not working
    > right..
    The nature of the attack, i.e. box is r00ted indicates
    that you cannot trust any of the information 
    you find with any certainity. With that said, you can
    check your /etc/syslog.conf file to see if there are
    any log files in a directory other than /var/log. You
    can also check services like Apache (httpd.conf) to
    see if they logged to a directory other than /var/log.
    > - any other recommendations? I'm pretty proficient
    > in linux, but this is the first time
    > ive ran into a hacked box. from my past reading, i
    > know the steps are to try and recover
    > any data not malformed and reinstall. any other
    > pointers?
    If your attacker was sloppy, you may find useful
    information in the users history file, .bash_history,
    especially those users with uid 0.
    If the hacked machine was behind a packet filter, or
    there is a sniffer on the line anywhere between the
    hacked box and the net, that you have access to, you
    can check those logs as well.
    Best of luck, 
    Do You Yahoo!?
    Yahoo! Health - your guide to health and wellness
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon May 06 2002 - 10:43:38 PDT