John,
Ran chkrootkit - had a lot of warnings about one application in
particular - Eclipse. Otherwise clean.
I guess eclipse is just a messy programme.
Simono
On Tue, 2010-10-19 at 00:19 +0100, John Cooper wrote:
> On 18/10/10 22:38, Ralph Corderoy wrote:
> >
> > Hi John,
> >
> >>>> Which type of hacker represents the highest risk to your network?
> >>>>
> >>>> A. Disgruntled employee
> >>>> B. Black-hat hacker
> >>>> C. Grey-Hat hacker
> >>>> D. Script kiddies
> >>
> >> All 4 do define their ability. A kiddie with Black-hat skills is a
> >> Black hat. There is one correct answer.
> >
> > OK, I'll bite. :-) I'd say A, since they often exist and they've easy
> > access to "private" systems.
> >
> > Two cases I can think of off the top of my head. A sys. admin. employee
> > was cracking encrypted passwords, fair enough, helps highlight poor
> > passwords. I could tell he was since some machines were slow and he
> > didn't hide it, e.g. argv[0]. After he left, disgruntledly, he guessed
> > that some of those users may use the same, non-trivial but crackable,
> > passwords on rented machines on the Internet and from there got access
> > to a database he wanted to examine.
> >
> > The other one is an intern at a company, bright enough, learning his way
> > around Unix, decided to create, e.g. /tmp/{ls,sl} for those with a PATH
> > that looks in the current working directory, just to gain that user's ID
> > for a bit of fun with his colleagues. Completely non-malicious, I'm
> > sure. The scripts were found, their existence went upwards and across
> > to personnel and he was escorted off site. Unfortunate since the
> > company was helping fund his way through university. (Yes, perhaps the
> > company could have handled it better, but people cover their backsides.)
> >
> > I've only experience any of the others once. Someone used a flaw in an
> > old Red Hat system that was still on the net. It should have been
> > updated and wasn't. That got him a root shell prompt, but I suspect he
> > was a script kiddie because he did little of note other than pull down a
> > rootkit and fail to cover his tracks. (I was watching his actions by
> > then since it broke the system in an odd way.) He removed .bash_history
> > and then logged out. He should have known .bash_history is written on
> > exit and done `kill -9 $$'. :-)
> >
> > Cheers,
> > Ralph.
> >
> >
>
> Correct! The book says A. and I agree. It is far easier to hack a system
> when you already work there!
>
> The writing of the bash history after you have logged out was a clever
> move and well worth knowing (a colleague told me that in 2005 and
> something I check).
>
> I've only had my website hacked once and that was due to an old version
> of Moodle which I'd forgot about. It was a kiddie scripter as all they
> did was modify the index.html with "hacked by ..". I restored a backup
> anyway.
>
> My home system was potentially hacked in to recently. rkhunter said
> everything was fine but chkrootkit picked up a modified init. I couldn't
> find any other files associated with the trojan but Bitdefender for
> Unices found a couple of malware. I had someone using a proxy to access
> one of my websites which DNS name was "." and therefore could not find
> the IP address in the logs. I'm sure by me just going to some of the
> proxies to find their IP addresses introduced the malware and probably
> lured an attack.
>
> My advice
>
> 1. Don't use anon proxies, especially from a Windows box
> 2. Run chkrootkit and rkhunter.
> 3. Run a virus checker like Bitdefender for Unices (free for non
> commercial use)
> 4. Install denyhosts and fail2ban if you are connected to the internet
> for SSH,http etc.
> 5. Install OSSEC . This monitors file changes and logs, very useful, and
> would have picked up the init change.
>
> John.
>
--
Next meeting: Crown Hotel, Blandford Forum, Tuesday 2010-11-02 20:00
Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/
How to Report Bugs Effectively: http://goo.gl/4Xue
