Security Incidents mailing list archives

Re: RedHat compromise

From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Tue, 20 Feb 2001 12:28:56 -0800

No IP addresses are reflected in /var/log/messages nor
/var/log/secure, and I am unable to determine from where the attack
came, but date/time stamp on the files shows it occured on Feb 19,
at 05:05 localtime.  How can I find where it came from?


Start digging:

        http://staff.washington.edu/dittrich/misc/forensics/

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

Current thread:

RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
  - Re: RedHat compromise Jim Roland (Feb 20)
  - Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
  - Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
  - Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
  - Re: RedHat compromise Andreas Östling (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 21)
    - Re: RedHat compromise Daniel Martin (Feb 21)
  - Re: RedHat compromise Jim Roland (Feb 20)

(Thread continues...)