Bugtraq mailing list archives

Re: Tracking tools?

From: neill () en com (neill)
Date: Thu, 15 Aug 1996 15:32:55 -0400


One thing you might consider. We made a login shell call Csh (looks like
csh in /etc/passwd) that is really a C program that sends me mail and
calls the unix script command. We modified the script binaries to not
print out the "script starting" and "script ending" messages. When the
suspect account logs in with this as their shell, it writes all their
keystrokes to a file. The down side is if they do a w command, they will
see some funny stuff happening on their account.

Anyone else have any keystroke catching ideas?

Gene.

On Wed, 14 Aug 1996, David Miller wrote:

Please forgive me if this message is a bit off subject, as it doesn't
expose any holes....

I've got a tcpdump of the network while a hacker broke into a machine. I
created it on a FreeBSD system with tcpdump -w .... (filters omitted).

I can read the file back just fine with a tcpdump -r, and dump the raw
data with a -x, but that's less than real useful.

Can anyone point out some tools I might apply to this dump file in order
to track the session which actually hacked root?  I'd most like to see
one of the monitoring programs which can be fed from the dump file, but
I'd be happy with something which would give me an ascii dump of the
data portions of selected packets.

Thanks in advance:)


You have to be kidding. There are plenty of sniffers available for all
sorts of platforms.. Hell, you could even patch telnetd to capture
keystrokes.. The major drawback of what Gene seems to be trying to
do is that, well, it targets only one user. Unfortunately, to
get a root breakin, you would have to sniff all the time.. and
that brings up some nasty privacy issues..

And another thing.. yeah, you could patch all your shells (including
Bourne) to capture keystrokes, but where are you going to store the
no-doubt large logs it will create? Its difficult to catch a hacker this
way unless you are doing it realtime as the breakin is occuring or are
willing to store loads of logs of connections coming into your machine.
What if your hacker is smart enough to come in and pad his session with
enough garbage that its hard for the admin to decipher? Say he logs on,
ftps some sources in, runs them, removes the source but still has root..
all you know is that he ran a program.. hackers are lazy, they dont type
out root exploits by hand most of the time if they can avoid it.

Current thread:

Re: WU.FTPD vulnerability: gnu tar possibly others, (continued)
- - - Re: WU.FTPD vulnerability: gnu tar possibly others Pedro Melo (Aug 19)
    - Re: WU.FTPD vulnerability: gnu tar possibly others Christian Limpach (Aug 19)
    - SECURITY FIX/UPDATE: anonftp Elliot Lee (Aug 19)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Igor Chudov @ home (Aug 18)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Evil Pete (Aug 18)
    - CERT Advisory CA-96.18 - Vulnerability in fm_fls CERT Advisory (Aug 14)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Ficus Kirkpatrick (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Alexander O. Yuriev (Aug 14)
    - Tracking tools? David Miller (Aug 14)
    - Re: Tracking tools? Gene Titus (Aug 15)
    - Re: Tracking tools? neill (Aug 15)
    - Re: Tracking tools? Tracy R. Reed (Aug 15)
    - SGI Security Advisory 19960801-01-PX, SGI Security Coordinator (Aug 17)
    - CERT Advisory CA-96.19 - Vulnerability in expreserve Pete Ashdown (Aug 15)
    - Re: CERT Advisory CA-96.19 - Vulnerability in expreserve Casper Dik (Aug 18)
    - Re: Tracking tools? Greg Miller (Aug 15)
    - Re: mail storm Valdis.Kletnieks () vt edu (Aug 13)
    - Re: mail storm Darrell Fuhriman (Aug 13)
    - Re: mail storm Ed Arnold (Aug 14)
    - list mail meta-question der Mouse (Aug 13)
- Re: IRIX 5.3 chost Bill Nickless (Aug 12)

(Thread continues...)