Re: Signs of an Intruder

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Justin J. Lister: "Introductions"
• Previous message: Allwyn F Crichlow: "Re: Remote Logging"

On Thu, 5 Dec 1996, "BlackHeart" wrote:
> It would seem to me the most logical thing to do is to have a print log of
> all port connections, including the site it is coming from.  Sure, it is
> definitely possibly that logs may be altered, but it's pretty hard to role
> back the paper...

The only problem with this is that you're going to get data overkill.
And without computer readable media, there's no way to condense and
process that information in a reasonable amount of time.  Of course,
if you're only interested in logging events, that's probably a good solution
for you.

> Another interesting point that I've seen in this discussion is looking for
> attempted commands like "wiz" and "debug"... chances are, if someone is
> attempting these commands, they have either lived in a cave for the past
> decade or have no idea what they are doing... what version of sendmail
> actually contained the "wizard" backdoor?  I know that it was fixed on most
> systems as early as 1988, when the infamous worm used it as a method of
> security breach... but anyways, i digress... later.

Actually, it's much more likely that if those commands are used,
someone is running some sort of automated security scanner on your site.
It's a good way to catch the unskilled tool-using attackers.

Such an attack occurred at our site a few months ago.
---
Mike Kienenberger    Arctic Region Supercomputing Center
Systems Analyst      (907) 474-6842
mkienenb@arsc.edu    http://www.arsc.edu

"Yes, in 6.3 we finally gave in to the security demands of some of our  
customers. It is a major pain in the neck" --Martin Knoblauch of Silicon  
Graphics GmbH referring to the change requiring that xhost access be  
explicitly enabled.

• Next message: Justin J. Lister: "Introductions"
• Previous message: Allwyn F Crichlow: "Re: Remote Logging"