[NTLUG:Discuss] Intrusion and Detection

[Jack Snodgrass]

( This is a different approach..... not better... but different.... I have
found this
useful in the past. )

I'm not a fan of RPM packages in general, but one nice feature that you can
do is
something like

rpm -V procps util-linux

will compare the files installed from the util-linux and procps packages to
what is on the
system currently. So... if someone was to modify /bin/login or /bin/ps
the -V ( verify )
option for RPM would point this out to you.

There is nothing to say that a hacker doesn't update /bin/login or /bin/ps
with RPM,
but it might show that someone unpacked a .tgz file and replaced those files
with
hacked ones.

jack

----- Original Message -----
From: "Kenneth Loafman" <ken at lt.com>
To: <discuss at ntlug.org>
Sent: Friday, December 21, 2001 10:45 AM
Subject: [NTLUG:Discuss] Intrusion and Detection


> With all the packages like Tripwire and others that detect intrusion,
> are there any that are "better" than others?  What are your experiences?
>
> My home system just got rooted via an ssh bug and my own personal
> detection system spotted it (ps did not work right), but the damage had
> been done.  Right now the the system is off the net, but I want to
> reopen the ssh port again so I can get to it from work.
>
> Been doing some forensics and it looks like the work of a script-kiddie,
> even left the .tgz file and install scripts on the system.  Nasty stuff,
> but it does not look like he left a worm installed, just set it up to
> allow him to get back in.  That's secured now, no inbound connections
> available.
>
> So, back to the question... what's a good intrusion detection system?
> I'm decidely not a novice, but I don't have much time to mess with an
> overly complex systems, so ease-of-use is a consideration.
>
> ...Thanks,
> ...Kenneth
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>