On Sun, 16 Sep 2001, Vinu Moses spewed into the ether:
> Hi Devdas,
> I couldn't understand why you'd want netcat installed on the suspected
> cracked box. Is it to sniff for any subsequent cracker activity on the
> (suspected) compromised box?
Nope, nc is to transfer the data with as little change as possible.
Ideally, you would use trinux, but quite a bit of data is in RAM which
you don't want to lose..
> > Reboot the suspect machine with a boot CD, and use rpm to
> > verify that the md5sums of the binaries are correct. If *all* software
> > is correct, then you don't have a problem.
>
> Correct me if I'm wrong.... rpm when verifying a file uses information about
> files stored in the rpm database on the linux box. So, unless the user had
> already made another copy of that database on a floppy or cd, he could still
> be having trojans on his system since a good cracker could possibly modify
> the rpm database also.
If you notice, I did mention that you are rebooting off a boot CD. The
database is on the CD itself.
> > A good suggestion I have seen for this
> > was to send syslog to a non existent machine and have another machine
> > in promisc mode sniffing all the traffic to the syslog machine.
>
> Sounds interesting...... will have to try it out. Can you give me any more
> info on this?
Thats all that you need to do.
On the machine sending logs:
*.* @192.168.1.2
in syslog.conf
On the logging machine
#/sbin/ifconfig eth0 0.0.0.0 up promisc
your logging machine is on the network without an IP, and recording
everything
Devdas Bhagat
--
...difference of opinion is advantageious in religion. The several sects
perform the office of a common censor morum over each other. Is uniformity
attainable? Millions of innocent men, women, and children, since the
introduction of Christianity, have been burnt, tortured, fined, imprisoned;
yet we have not advanced one inch towards uniformity.
- Thomas Jefferson, "Notes on Virginia"
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
