Bugtraq mailing list archives

Re: snooper watchers

From: chris () rivers dra hmg gb (Christopher Samuel)
Date: Mon, 27 Feb 1995 14:18:46 +0000


In message <199502270518.AAA20096 () ussenterprise async vt edu>, 
        Leo Bicknell <bicknell () ussenterprise async vt edu> writes:

I just had a thought.  What about makeing it impossible for
even root to cover his/her tracks?  My specific thought was writing
things like accounting/audit logs directly to say a WORM drive.


In that situation the obvious thing for the cracker to do is to generate
as much misleading logging as possible, and aim to fill the WORM disk
with it.

Whilst that won't remove their footprints, they can (if they think carefully)
generate enough fake "information" to make them start chasing other
leads first. I'm thinking here along the lines of bogus syslog messages
about hardware and software problems.

Now perhaps this is the sort of time you want to be running things like
swatch to monitor the logfiles, and to try and alert people when things
start to act peculiar.

Chris

P.S. This is meandering away from full-disclosure now, so I'll shut up. ;-)

Current thread:

Re: snooper watchers, (continued)
- Re: snooper watchers mascarkp () cc3 adams edu (Feb 24)
- Re: snooper watchers Eiji Hirai (Feb 24)
  - Re: snooper watchers Gene Rackow (Feb 25)
    - Re: snooper watchers Timothy Newsham (Feb 25)
    - Re: snooper watchers Darren Reed (Feb 25)
    - Re: snooper watchers Dr. Frederick B. Cohen (Feb 25)
- Re: snooper watchers smb () research att com (Feb 26)
- Re: snooper watchers der Mouse (Feb 26)
- Re: snooper watchers Timothy Jones (Feb 26)
  - Re: snooper watchers Leo Bicknell (Feb 26)
    - Re: snooper watchers Christopher Samuel (Feb 27)
  - No Subject Nicholas West (Feb 26)
  - Re: snooper watchers Peter Wemm (Feb 27)