>From the introduction to the list: >When joining the list I ask you to breifly introduce yourself, to give >an outline of your interest in intrusion detection systems. Whether >you are developing an intrusion detection system, or a system >administrator or student who is currently investigating or developing >a system. Additionally you might want to express some personal ideas >that you have about what you think an intrusion detection system >ideally, should be. Noah Fields <noah@concord.org> and I administer internet services and develop technology for a small non-proft educational research and development group located in Concord Massachusetts USA. Our work usually involves the use of technology in education. To learn more about the professionial work of our group check out our web site at: http://www.concord.org We recently have had several break-ins and are in the process of upgrading our security systems. I posted a message to comp.security.unix about a fake libc.so a cracker had installed into our anonymous ftp directory tree. It turns out that it contained login info sniffed from our ethernet. In my investigations I turned up a number of other sites comprimized by the cracker(s). A number of people responded to my post with very helpful messages. I asked about lists where discussions of security and break-ins are discussed and was pointed here and to Bugtraq. I plan to describe the attack in more detail, summarize suggestions, and describe our responses and post this back to the newsgroup. If useful I'll post it here also. [Moderators Note: I am sure many of the lists members would be interested in futher information, so please do.] We are running linux 1.2.13 and are now using tcpwrapper to severely limit connections, and will be installing Tripwire to monitor changes in our system. I am looking for ways to collect and manage a number of different logs so that problems can be discovered more quickly and easily in the future. --Stephen Bannasch Director of Technology, Concord Consortium 37 Thoreau St., Concord, MA 01742, tel: 508 369 4367 stephen@concord.org, http://www.concord.org