Security Incidents mailing list archives

Re: info

From: "W.G. Iyer" <guhan777 () yahoo com>
Date: Fri, 3 May 2002 17:27:17 -0700 (PDT)

I would like some opinions, advice, or info on:
- is there any way to view records? webmin has a
'last logon' option, but now that
/var/log has been blown away, its not working
right..


The nature of the attack, i.e. box is r00ted indicates
that you cannot trust any of the information 
you find with any certainity. With that said, you can
check your /etc/syslog.conf file to see if there are
any log files in a directory other than /var/log. You
can also check services like Apache (httpd.conf) to
see if they logged to a directory other than /var/log.

- any other recommendations? I'm pretty proficient
in linux, but this is the first time
ive ran into a hacked box. from my past reading, i
know the steps are to try and recover
any data not malformed and reinstall. any other
pointers?


If your attacker was sloppy, you may find useful
information in the users history file, .bash_history,
especially those users with uid 0.

If the hacked machine was behind a packet filter, or
there is a sniffer on the line anywhere between the
hacked box and the net, that you have access to, you
can check those logs as well.

Best of luck, 
Guhan


__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

info Joe T. (May 03)
- RE: info Loki (May 03)
  - RE: info Joe T. (May 06)
- Re: info W.G. Iyer (May 06)
  - Re: info Joe T. (May 06)
    - Re: info Jose Nazario (May 06)
- Re: info Michel Arboi (May 06)
- <Possible follow-ups>
- RE: info dlaumann (May 06)
  - RE: info Head of the Councel of Wizards (May 07)