On Fri, 02 Jan 2009 18:05:28 +0100 "fso...@systea.net" <fso...@systea.net> wrote: >I'm not sure what to think...
If you don't get hardening, auditing and related tools in place *before* the (perceived) breach of security (and if those tools can be subverted), then what level of trust remains? That's why some people suggest to do an autopsy. Granted it won't work if you can't access a dead colo machine, but booting a Live CD or other external media with "trusted" tools is a good basis to start from. As John stated the FAQ has more details, the first port of call being CERT's Intruder Detection Checklist at http://www.cert.org/tech_tips/intruder_detection_checklist.html. And like the previous posted docs suggest, if Sebek client is remote logging, you should also be able to find anomalous network traffic. If nothing is fixing things I'd like more details but that probably requires you to act or have something in place that gathers details as things happen. Regards, unSpawn --- -- Click to make millions by owning your own franchise. http://tagline.hushmail.com/fc/PnY6qxtYiOUxphM9fO6iKxUZ9Ga4jSYB9FutEy62tQVyCjF8SnjCg/ ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
