John Keimel wrote:
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Aside from any of hte tec
John Keimel wrote:
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Aside from any of hte technical
On Tue, Feb 24, 2004 at 05:20:01PM -0600, elijah wright wrote:
>
> > > I've been asked to place a sniffer on a network that handles HIPPA
> > > data, and watch for e-mail containing certain strings. I figured that
> > > mailsnarf would be the best way to do this.
> > >
> > Aside from any of hte te
On Tue, Feb 24, 2004 at 06:19:48PM -0500, John Keimel wrote:
> On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
> > I've been asked to place a sniffer on a network that handles HIPPA data,
> > and watch for e-mail containing certain strings. I figured that mailsnarf
> > would be t
free2.org wrote:
since a few days there is no more valid Release.gpg file for woody and non-US
apt-check-sigs says "NO VALID SIGNATURE"
no problem with sarge, sid and security updates
i do have the ftp master keys 2003 and 2004
Looking at some ftp mirrors, it seems that Release.gpg has been up
> > I've been asked to place a sniffer on a network that handles HIPPA
> > data, and watch for e-mail containing certain strings. I figured that
> > mailsnarf would be the best way to do this.
> >
> Aside from any of hte technical details of this, I'm kind of wondering
> how this fits into HIPPA a
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
> I've been asked to place a sniffer on a network that handles HIPPA data,
> and watch for e-mail containing certain strings. I figured that mailsnarf
> would be the best way to do this.
>
Aside from any of hte technical details of
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Right.
In testing, if I run:
mailsnarf -i eth2 . "tcp"
I get all email.
If I run
mailsnarf -i eth2 ".*STD.*" "t
On Tue, Feb 24, 2004 at 05:20:01PM -0600, elijah wright wrote:
>
> > > I've been asked to place a sniffer on a network that handles HIPPA
> > > data, and watch for e-mail containing certain strings. I figured that
> > > mailsnarf would be the best way to do this.
> > >
> > Aside from any of hte te
On Tue, Feb 24, 2004 at 06:19:48PM -0500, John Keimel wrote:
> On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
> > I've been asked to place a sniffer on a network that handles HIPPA data,
> > and watch for e-mail containing certain strings. I figured that mailsnarf
> > would be t
free2.org wrote:
since a few days there is no more valid Release.gpg file for woody and non-US
apt-check-sigs says "NO VALID SIGNATURE"
no problem with sarge, sid and security updates
i do have the ftp master keys 2003 and 2004
Looking at some ftp mirrors, it seems that Release.gpg has been updated
> > I've been asked to place a sniffer on a network that handles HIPPA
> > data, and watch for e-mail containing certain strings. I figured that
> > mailsnarf would be the best way to do this.
> >
> Aside from any of hte technical details of this, I'm kind of wondering
> how this fits into HIPPA a
On Tue, Feb 24, 2004 at 06:11:20PM -0500, [EMAIL PROTECTED] wrote:
> I've been asked to place a sniffer on a network that handles HIPPA data,
> and watch for e-mail containing certain strings. I figured that mailsnarf
> would be the best way to do this.
>
Aside from any of hte technical details of
I've been asked to place a sniffer on a network that handles HIPPA data,
and watch for e-mail containing certain strings. I figured that mailsnarf
would be the best way to do this.
Right.
In testing, if I run:
mailsnarf -i eth2 . "tcp"
I get all email.
If I run
mailsnarf -i eth2 ".*STD.*" "t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 24 Feb 2004 14:32:26 +0100,
Greg <[EMAIL PROTECTED]> wrote:
> I am running Debian on a Dec Alpha PC164.
>
> I decided to run chkrootkit and was surprised by the following line.
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> I am
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 24 Feb 2004 14:32:26 +0100,
Greg <[EMAIL PROTECTED]> wrote:
> I am running Debian on a Dec Alpha PC164.
>
> I decided to run chkrootkit and was surprised by the following line.
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> I am
On Tue, Feb 24, 2004 at 10:37:44AM -0500, Noah Meyerhans wrote:
> On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
> >
> > Looks like there are a lot of false positives on it.
> >
>
> It looks like there are a lot of false positives with chkrootkit in
> general. Seriously, has anybody h
Alohá!
Noah Meyerhans wrote:
> On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
>
>> Looks like there are a lot of false positives on it.
>>
>
>
> It looks like there are a lot of false positives with chkrootkit in
> general. Seriously, has anybody here ever had chkrootkit detect an
> a
On Tue, Feb 24, 2004 at 10:37:44AM -0500, Noah Meyerhans wrote:
> On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
> >
> > Looks like there are a lot of false positives on it.
> >
>
> It looks like there are a lot of false positives with chkrootkit in
> general. Seriously, has anybody h
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
>
> Looks like there are a lot of false positives on it.
>
It looks like there are a lot of false positives with chkrootkit in
general. Seriously, has anybody here ever had chkrootkit detect an
actual rootkit? Questions about its output
On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Tue, Feb 17, 2004 at 03:12:44PM -0600, Hhayes wrote:
> > I have a Debian box running as a file server on a network with 50 users. So
> (...)
> > saved the file, resulting in a file that no other users can write to.
Alohá!
Noah Meyerhans wrote:
> On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
>
>> Looks like there are a lot of false positives on it.
>>
>
>
> It looks like there are a lot of false positives with chkrootkit in
> general. Seriously, has anybody here ever had chkrootkit detect an
> ac
On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
>
> Looks like there are a lot of false positives on it.
>
It looks like there are a lot of false positives with chkrootkit in
general. Seriously, has anybody here ever had chkrootkit detect an
actual rootkit? Questions about its output
On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> On Tue, Feb 17, 2004 at 03:12:44PM -0600, Hhayes wrote:
> > I have a Debian box running as a file server on a network with 50 users. So
> (...)
> > saved the file, resulting in a file that no other users can write to.
> In what sense? Logging to syslog/email/external database and signing the
Bringing machine to knees seems pretty intrusive to me.
Samhain runs as deamon, and IIRC it scans running processes and does other
things in effort to detect trojans and lkms. This activity used to boost
idle load avg fro
On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote:
> > samhain (in unstable, should be easy to backport) which has some
> > interesting features.
> And those interesting features should make you cautious before you deploy
> samhain in production environment. I find it rather intrusi
31337 - are your runing portsentry on that machine ?
Quote from the www.chkrootkit.org site:
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself
to unused ports probably chkrootkit will give you a false posit
May be you have installed "fakebo"?
Billy
You might not be hacked after all.
Read this: http://www.webhostgear.com/25.html
Also some googling might help ;-)
http://www.google.ro/search?q=%27bindshell%27...+INFECTED+%28PORTS%3A++1524+31337&ie=UTF-8&oe=UTF-8&hl=ro&btnG=Caut%C4%83&meta=
Looks like there are a lot of false positives on it
On Tuesday 24 February 2004 07:53, Greg wrote:
> I am running Debian on a Dec Alpha PC164.
>
> I decided to run chkrootkit and was surprised by the following line.
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
Try a nmap port scan from the outside to your ip address. If those ports are
I am running Debian on a Dec Alpha PC164.
I decided to run chkrootkit and was surprised by the following line.
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
I am not sure how no interpret this. I have checked logs, as well as binary
checks and everything "seems" fine. Can someone help
> In what sense? Logging to syslog/email/external database and signing the
Bringing machine to knees seems pretty intrusive to me.
Samhain runs as deamon, and IIRC it scans running processes and does other
things in effort to detect trojans and lkms. This activity used to boost
idle load avg fro
On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote:
> > samhain (in unstable, should be easy to backport) which has some
> > interesting features.
> And those interesting features should make you cautious before you deploy
> samhain in production environment. I find it rather intrusi
33 matches
Mail list logo
