Nice idea, but if the person roots your box, they can get access to all the
keylogger information. Specifically, usernames and passwords will be in those
logs.
Sol wrote:
> On Thu, 14 Oct 1999, Mr. Sharkey wrote:
>
> > I'm running a mixed site of Linux and Solaris machines. What I'd like
> > is some sort of keystroke logger that could have it's output piped to
> > a remote loghost (if someone does get in, I'd like to know what they
> > did / how they did it).
>
> Now there is a nifty idea! The dude breaks in and gets root, wanders
> around doing things then realizes his keys have been captured and he can't
> zap the logs without establishing a second front... ow! Especially for
> busting purposes. Diddling logs is vital for your health, I would expect
> people to do it.
>
> But! Why not go further and have an active
> sniffer box even? Which logs specific traffic and lives on another
> machine than the one monitored? This is more elegant... use the linux box
> for the sniffer...
>
> For hacking in a key-capture, why not just do it like hackers have done
> since the dawn of telnet and just make some modifications to getty, login
> etc. code?
>
> This could be easily done of course but you'd probably want
> to replace some gettys and stuff, I have seen similar stuff around but it
> behaves differently... really it only takes 5 minutes, just find the
> stream that's flowing thru the sock (or stdin/stdout for stuff like login)
> and if it's a char, you know, mabye write that to a little buffer, and
> only submit the result to a syslogd when CR is recieved... that sounds
> fairly good...
>
> > Trouble is, as much as I've searched, all I can find are utilities for
> > Dos/Windows. Has anyone run across such a beast? I did find TTY-watcher
> > from engarde.com, but I doubt I'll ever get it to compile.
>
> Was this for LINUX?
>
> [EMAIL PROTECTED]
> http://web.zencor.org/~sol
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
