At 09:42 AM 12/20/99 -0800, Gavin Budd wrote:
>Another thing that happened is that IP's aren't being logged in the u/wtmp
>file for telnet connections. They stopped logging about the same time as
>the break in. Any idea how to fix this?
Yeah. (1) Backup ALL valuable data on the server. (2) Use fdisk to remove
all partitions. (3) Then reinstall the OS and all security patches.
Seriously, you are playing with fire if you think you can unfix whatever
the cracker broke. If really want to know what got changed, I think you
need to install and run tripwire right after (or the like) a known clean
install (e..g, nont-networked); then you can re-run it later to see what
files have changed. You need to boot from a removable (known clean) medium
and the executable and DB need to be known to be untampered as well.
-Alan
---
Alan D. Mead / Research Scientist / [EMAIL PROTECTED]
Institute for Personality and Ability Testing
1801 Woodfield Dr / Savoy IL 61874 USA
217-352-4739 (v) / 217-352-9674 (f)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
