On Tue, 2008-08-26 at 23:10 +0100, Adam Hardy wrote:
> All the hacker needs to do, before rooting the system, is to run my cronjobs
> and
> save the output, and then change the cronjobs to email me these 'all clear'
> reports instead. The reports don't even have dates or times that require
> u
2008/8/27 Eduardo M KALINOWSKI <[EMAIL PROTECTED]>:
> What I could recommend is to run only the necessary services, and if
> possible restrict the IPs allowed to connect to them, keep the system
> updated with security fixes, make frequent backups, and other obvious
> things that we all already kno
Sam Kuper wrote:
> 2) Assuming your server is hosted with VPSVille, Slicehost or some
> other hosting company that doesn't give you physical access but does
> have a facility for reinstalling your OS on demand, you could, in the
> following order:
>
> - Back up your data from it locally;
> - Prepar
2008/8/26 Adam Hardy <[EMAIL PROTECTED]>:
> The more I think about it, the more I believe some sharp hacker out there
> could easily have fooled me for months.
>
> Any suggestions now?
1) Be slightly less paranoid :)
2) Assuming your server is hosted with VPSVille, Slicehost or some
other hosting
Eduardo M KALINOWSKI on 26/08/08 13:45, wrote:
Adam Hardy escreveu:
After-the-attack identification of a rootkit attack, it seems, can
always be compromised if there is no safe read-only hash or encryption
of the known-good system binaries.
Unfortunately, I think that if you do not have physi
Adam Hardy escreveu:
After the attack, I quickly realized that I have no definitive way of
deciding if my system was rooted or not, and so I installed rkhunter.
This provides a simple hash-based mechanism to create an image of the
clean system (although I can't actually do that with the Etch ve
Osamu Aoki on 25/08/08 16:41, wrote:
Hi,
On Thu, Aug 14, 2008 at 10:51:56PM +0100, Adam Hardy wrote:
Adam Hardy on 13/08/08 10:27, wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <[EMAIL PROTECTED]>
wrote:
The question is, what do I replace chkrootkit with
Osamu Aoki on 25/08/08 16:41, wrote:
On Thu, Aug 14, 2008 at 10:51:56PM +0100, Adam Hardy wrote:
Adam Hardy on 13/08/08 10:27, wrote:
apt-cache show tripwire Description: file and directory integrity
checker Tripwire is a tool that aids system administrators and users
in monitoring a designated
Hi,
On Thu, Aug 14, 2008 at 10:51:56PM +0100, Adam Hardy wrote:
> Adam Hardy on 13/08/08 10:27, wrote:
>> Martin on 12/08/08 16:34, wrote:
>>> On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <[EMAIL PROTECTED]>
>>> wrote:
The question is, what do I replace chkrootkit with, especially if stuff
>>>
Adam Hardy on 13/08/08 10:27, wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <[EMAIL PROTECTED]>
wrote:
The question is, what do I replace chkrootkit with, especially if stuff
like rkhunter's not much better?
tripwire maybe?
apt-cache show tripwire Descri
Adam Hardy wrote:
David Barrett on 13/08/08 20:22, wrote:
Adam Hardy wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy
<[EMAIL PROTECTED]> wrote:
The question is, what do I replace chkrootkit with, especially if
stuff like
rkhunter's not much better?
[snip]
David Barrett on 13/08/08 20:22, wrote:
Adam Hardy wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy
<[EMAIL PROTECTED]> wrote:
The question is, what do I replace chkrootkit with, especially if
stuff like
rkhunter's not much better?
[snip]
One script I use
Adam Hardy wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy
<[EMAIL PROTECTED]> wrote:
The question is, what do I replace chkrootkit with, especially if
stuff like
rkhunter's not much better?
tripwire maybe?
apt-cache show tripwire
Description: file and di
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <[EMAIL PROTECTED]> wrote:
The question is, what do I replace chkrootkit with, especially if stuff like
rkhunter's not much better?
tripwire maybe?
apt-cache show tripwire
Description: file and directory integrity ch
Hi,
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <[EMAIL PROTECTED]> wrote:
> The question is, what do I replace chkrootkit with, especially if stuff like
> rkhunter's not much better?
tripwire maybe?
apt-cache show tripwire
Description: file and directory integrity checker
Tripwire is a tool th
s. keeling on 06/08/08 03:55, wrote:
Joey Hess <[EMAIL PROTECTED]>:
Thomas Preud'homme wrote:
I don't think it's that important. chkrootkit seems a little hazardous=20
since there was a bug about chkrootkit killing a random process (in=20
fact one of its test was sending a signal to process 12
On Mon, 2008-08-04 at 13:19 -0400, Joey Hess wrote:
> filtered != open
>
>Filtered means that a firewall, filter,
>or other network obstacle is blocking the port so that Nmap cannot
> tell whether
>it is open or closed. -- man nmap
I wish nmap would call "filtered" by a
On Mon, 2008-08-04 at 14:52 +0100, Adam Hardy wrote:
> Yes, you are right, and I have been too slack to get around to changing it. I
> am
> looking at installing tripwire (after a fresh install) to be able to check up
> what is going on after the fact.
If you have more than one machine, you mi
Joey Hess <[EMAIL PROTECTED]>:
>
> Thomas Preud'homme wrote:
> > I don't think it's that important. chkrootkit seems a little hazardous=20
> > since there was a bug about chkrootkit killing a random process (in=20
> > fact one of its test was sending a signal to process 12345, this bug=20
> > has
Adam Hardy wrote:
> Not shown: 65529 closed ports
> PORT STATE SERVICE
> 22/tcpopen ssh
> 25/tcpopen smtp
> 80/tcpopen http
> 443/tcp open https
> 3306/tcp open mysql
> 12121/tcp open unknown
>
>
> But when I run nmap from my home machine to scan it remotely, I see these
Thomas Preud'homme wrote:
> I don't think it's that important. chkrootkit seems a little hazardous
> since there was a bug about chkrootkit killing a random process (in
> fact one of its test was sending a signal to process 12345, this bug
> has been corrected).
That anyone could code such a th
Adam Hardy on 04/08/08 14:50, wrote:
thveillon.debian on 04/08/08 13:48, wrote:
Adam Hardy on 03/08/08 14:13, wrote:
[...snip]
I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which
Monday 04 August 2008, Adam Hardy wrote :
> thveillon.debian on 04/08/08 13:48, wrote:
> Adam Hardy on 03/08/08 14:13, wrote:
> >
> > [...snip]
> >
> I talked to the support at the hosting company and they looked
> at the system and said they couldn't see anything wrong with it
> >>>
Thomas Preud'homme on 04/08/08 13:39, wrote:
Monday 04 August 2008, Adam Hardy wrote :
Thomas Preud'homme on 04/08/08 11:48, wrote:
Le lundi 4 août 2008, Adam Hardy a écrit :
Adam Hardy on 03/08/08 14:13, wrote:
My webserver system is actually a UML slice of a system at
memset.co.uk and all i
thveillon.debian on 04/08/08 13:48, wrote:
Adam Hardy on 03/08/08 14:13, wrote:
[...snip]
I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.
Is it worth re-
Adam Hardy on 03/08/08 14:13, wrote:
[...snip]
I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.
Is it worth re-imaging my system and re-installing everythi
Monday 04 August 2008, Adam Hardy wrote :
> Thomas Preud'homme on 04/08/08 11:48, wrote:
> > Le lundi 4 août 2008, Adam Hardy a écrit :
> >> Adam Hardy on 03/08/08 14:13, wrote:
> >>> My webserver system is actually a UML slice of a system at
> >>> memset.co.uk and all it does is run Apache Tomcat
Thomas Preud'homme on 04/08/08 11:48, wrote:
Le lundi 4 août 2008, Adam Hardy a écrit :
Adam Hardy on 03/08/08 14:13, wrote:
My webserver system is actually a UML slice of a system at
memset.co.uk and all it does is run Apache Tomcat and sshd and the
stuff from memset - I thought it was pretty
Le lundi 4 août 2008, Adam Hardy a écrit :
> Adam Hardy on 03/08/08 14:13, wrote:
> > My webserver system is actually a UML slice of a system at
> > memset.co.uk and all it does is run Apache Tomcat and sshd and the
> > stuff from memset - I thought it was pretty safe until I came back
> > today an
Adam Hardy on 03/08/08 14:13, wrote:
My webserver system is actually a UML slice of a system at memset.co.uk
and all it does is run Apache Tomcat and sshd and the stuff from memset
- I thought it was pretty safe until I came back today and found my
nightly email report from chkrootkit said:
T
My webserver system is actually a UML slice of a system at memset.co.uk and all
it does is run Apache Tomcat and sshd and the stuff from memset - I thought it
was pretty safe until I came back today and found my nightly email report from
chkrootkit said:
The following suspicious files and dire
31 matches
Mail list logo