get juggernaut. session hijacking and recording tool.
keystroke watching and manipulation.
Matt
----- Original Message -----
From: Bennett Samowich <[EMAIL PROTECTED]>
To: Mr. Sharkey <[EMAIL PROTECTED]>
Cc: 'The Firewalls List' <[EMAIL PROTECTED]>
Sent: Friday, October 15, 1999 11:37 AM
Subject: Re: Keylogger question
> Greetings,
>
> The initial trouble is that key loggers work from a console or a terminal
> device. (at least the ones that I have seen) When someone is attacking
> your host, generally they are doing so from across the network. Since
> there is no tty device, until the connection is made, the key logger has
to
> be spawned from the login shell or be integrated into the shell itself.
>
> The next problem is that when your host is being attacked, it is seldom
> that they break into a "normal" login shell. Instead they wind up in the
> user space of the daemon that was broken. Think wu-ftp... when exploited
> the attacker was left with an active blind shell. This means that
commands
> they typed were executed but they couldn't see what they were typing.
>
> Your best bet (for what you requested) would be to set up some sort of
> network sniffer to capture all traffic in and out of the host in
> question. This will probably require a lot of disk space as well as be
> unproductive. You may wind up sifting through mounds of traffic just to
> find the one rouge packet... four months from now. Relying on a trigger
to
> start the logger will probably only capture the packets after the initial
> compromising of your host.
>
> The better bet would be to keep what ever daemons you are running at their
> most current level and to implement a strong security policy which will
> include a sound firewall. You can log things like attempts to connect to
> services that you aren't running, malformed packets, etc. These things
> should help you to be alerted of reconnaissance missions against your
> host. Also, don't forget to run integrity software on your servers (e.g
> Tripwire) so that in the event of compromise, you can identify any
modified
> files or directories.
>
> Just my 2 cents.
> - Bennett
>
>
> At 17:46 10/14/99 -0400, Mr. Sharkey wrote:
>
> >Hi,
> >
> >I'm running a mixed site of Linux and Solaris machines. What I'd like
> >is some sort of keystroke logger that could have it's output piped to
> >a remote loghost (if someone does get in, I'd like to know what they
> >did / how they did it).
> >
> >Trouble is, as much as I've searched, all I can find are utilities for
> >Dos/Windows. Has anyone run across such a beast? I did find TTY-watcher
> >from engarde.com, but I doubt I'll ever get it to compile.
> >
> >
> >Any help would be appreciated.
> >
> >Thanks,
> >
> >
> >M.
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
