On Sat, 3 Feb 2001 [EMAIL PROTECTED] wrote: >Hi. > I just realized that someone entered my debian box with >cablemodem. I couldn't find anything in the logs, but the pump package was >deleted.
If you've truly been cracked, of course you can't find anything in the logs. That's one of the first things a rootkit takes out. Then it takes out the tools to dissect additional logs. What catches me weird about this is that the cracker basically nuked your connection: Cable uses DHCP (pump) pretty regularly, so it'd be stupid for them to take out one of the things that kept your box up on the 'net. Basically, the cracker WANTS your box to be up and online as much as possible once they're in. I'd have a look at some more pedestrian reasons that pump was taken out first (like a bad sector on your disk or a bad $PATH)... > I replaced inetd for xinetd. took off services I didnt't use (It >was left all default, as I installed in a rush), and now I'd like a good >intrusion detection system. snort works. ippl, portsentry are some good "pre-IDS"es... > I'd like to hear about any advices about not security (too wide) >but tools to run in cron and which may be usefull for this kind of >situations. tripwire to make sure the disk image doesn't change, reinstallation of your computer (all of it: you have no idea what's been trojaned), cracklib to ensure that your passwords are hardened. Security isn't something you install on your computer, it's something you install in your sysadmin's mind (usually yourself in a singly owned computer). >Thanks! > > > -- Artificial intelligence is no match for natural stupidity. Who is John Galt? [EMAIL PROTECTED], that's who!
