Bugtraq mailing list archives
Re: snooper watchers
From: chris () rivers dra hmg gb (Christopher Samuel)
Date: Mon, 27 Feb 1995 14:18:46 +0000
In message <199502270518.AAA20096 () ussenterprise async vt edu>, Leo Bicknell <bicknell () ussenterprise async vt edu> writes:
I just had a thought. What about makeing it impossible for even root to cover his/her tracks? My specific thought was writing things like accounting/audit logs directly to say a WORM drive.
In that situation the obvious thing for the cracker to do is to generate as much misleading logging as possible, and aim to fill the WORM disk with it. Whilst that won't remove their footprints, they can (if they think carefully) generate enough fake "information" to make them start chasing other leads first. I'm thinking here along the lines of bogus syslog messages about hardware and software problems. Now perhaps this is the sort of time you want to be running things like swatch to monitor the logfiles, and to try and alert people when things start to act peculiar. Chris P.S. This is meandering away from full-disclosure now, so I'll shut up. ;-)
Current thread:
- Re: snooper watchers, (continued)
- Re: snooper watchers mascarkp () cc3 adams edu (Feb 24)
- Re: snooper watchers Eiji Hirai (Feb 24)
- Re: snooper watchers Gene Rackow (Feb 25)
- Re: snooper watchers Timothy Newsham (Feb 25)
- Re: snooper watchers Darren Reed (Feb 25)
- Re: snooper watchers Dr. Frederick B. Cohen (Feb 25)
- Re: snooper watchers Gene Rackow (Feb 25)
- Re: snooper watchers smb () research att com (Feb 26)
- Re: snooper watchers der Mouse (Feb 26)
- Re: snooper watchers Timothy Jones (Feb 26)
- Re: snooper watchers Leo Bicknell (Feb 26)
- Re: snooper watchers Christopher Samuel (Feb 27)
- No Subject Nicholas West (Feb 26)
- Re: snooper watchers Peter Wemm (Feb 27)
- Re: snooper watchers Leo Bicknell (Feb 26)