While doing some normal system maintenance on a box of mine that primarily
runs snort as an ids, I ran chkrootkit which ran cleanly, reporting nothing
out of the ordinary. Normally this is a good thing, but then I got to
thinking that if I am running snort, than I am in promiscuous mode and
While doing some normal system maintenance on a box of mine that primarily
runs snort as an ids, I ran chkrootkit which ran cleanly, reporting nothing
out of the ordinary. Normally this is a good thing, but then I got to
thinking that if I am running snort, than I am in promiscuous mode and
Check out psad, which is similar to what you want (and I use it)...
You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to
Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad.
--jordan
On Mon, Jun 30, 2003 at 06:38:33PM -0400,
Check out psad, which is similar to what you want (and I use it)...
You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to
Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad.
--jordan
On Mon, Jun 30, 2003 at 06:38:33PM -0400,
Robert,
The only way to truly recover from a break-in, is to fully restore the
system
from a trusted medium. That being said, here's what your script does:
1) Hide it's name in the process table as '/usr/sbin/nscd ' (100
spaces).
2) Bind to UDP port 1337 in
TIm,
If I were in your shoes, the first thing i'd do is set up a small honeypot
with a similar configuration to your other machines. Run the same services,
as you have running on your other woody boxen, but just don't use it for
anything. This way it will appear like 'just another one'
TIm,
If I were in your shoes, the first thing i'd do is set up a small
honeypot
with a similar configuration to your other machines. Run the same services,
as you have running on your other woody boxen, but just don't use it for
anything. This way it will appear like 'just another one'
Where you using nmap's -O flag? If so try w/o it.
--jordan
On Thursday 10 April 2003 1:33 pm, danilo lujambio wrote:
Hi ;
I have experimented a strange situation in one of the servers
It runs debian woody (kernel bf24)
When I scanned with nmap this server ,
At first glance, it looks perfectly normal. You just
seemed to have installed some sort intruder monitor/ids and
you'll see things like this for a while until you establish
a good working baseline.
--jordan
On 29 Mar 2003, Cau de Alencar wrote:
The syslog entries below
At first glance, it looks perfectly normal. You just
seemed to have installed some sort intruder monitor/ids and
you'll see things like this for a while until you establish
a good working baseline.
--jordan
On 29 Mar 2003, Cau de Alencar wrote:
The syslog entries below
10 matches
Mail list logo