On Monday 05 February 2007 16:02, Marc Haber wrote: > On Mon, Feb 05, 2007 at 03:34:54PM +0000, Bob Hutchinson wrote: > > !/var/log/messages(.[0-9])?(.gz)? > > !/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)? > > !/var/log/kern.log(.[0-9])?(.gz)? > > So your attacker places her root kit in > /var/log/messages.9999999999999 and you won't notice.
you got me bang to rights guvnor! did (as root) touch /var/log/messages.9999999999999 /etc/cron.hourly/aide nada ;-( mind you, I would not be able to create a file in /var/log as anybody other than root. tried su www-data touch /var/log/messages.8888888888 touch: cannot touch `/var/log/messages.8888888888': Permission denied but /tmp would be another matter. In practice I have found that setting wget and curl to chmod 700 has stopped several attempts, reported in logcheck and I have been able to identify which customer's leaky script was responsible for the unsuccessful attempt to wget something into /tmp. This could also be done in iptables by denying http fetch, but I do (as root) fetch stuff such as clamav and there is apt-get to consider as well. Ideally /tmp should have it's own partition and be set to noexec in /etc/fstab and *BSD boxes are, but in practice most of the boxes I tend were not set up by me and I have to work with what I find. anyway, so how to improve? assuming (for the sake of argument) messages messages.0 messages.1.gz etc up to a possible max of messages.59.gz ideas welcome. -- ----------------- Bob Hutchinson Midwales dot com ----------------- _______________________________________________ Aide mailing list Aide@cs.tut.fi https://mailman.cs.tut.fi/mailman/listinfo/aide
