> On Sun, Feb 06, 2005 at 10:52:50PM -0800, Alvin Oga wrote:
>> it's best when you can call the fbi (on the phone) and say, they're
>> back, trace um "NOW"
>
> Obviously you've never done this. Good luck finding someone who even
> knows what TCP/IP is, let alone sufficient knowledge to be able to
On Sun, Feb 06, 2005 at 10:52:50PM -0800, Alvin Oga wrote:
> it's best when you can call the fbi (on the phone) and say, they're
> back, trace um "NOW"
Obviously you've never done this. Good luck finding someone who even knows
what TCP/IP is, let alone sufficient knowledge to be able to track a
On Sun, 6 Feb 2005, Scott Edwards wrote:
> You'll want to evaluate the time and resources you'll consume, and to
> what end. Even in high profile cases, you have to do even more work
> to collect the damages awarded. It's like a triple whammy:
>
> 1. Your box gets compromised
> 2. You sue them
You'll want to evaluate the time and resources you'll consume, and to
what end. Even in high profile cases, you have to do even more work
to collect the damages awarded. It's like a triple whammy:
1. Your box gets compromised
2. You sue them
3. And then collect damages
You'll quickly loose a ca
On Mon, 7 Feb 2005, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > you can reinstall AFTER you can answer all the above questions
> > or give up and give the point ot the script kiddie cracker
>
> No, you make an image, reinstall, and if you have time (ie. you normally
In article <[EMAIL PROTECTED]> you wrote:
> you can reinstall AFTER you can answer all the above questions
> or give up and give the point ot the script kiddie cracker
No, you make an image, reinstall, and if you have time (ie. you normally
dont) then you can start the forensics.
Gruss
Bernd
-
Some interesting points raised by Alvin.
On the other hand, run rkhunter after updating its lists & chkrootrit.
See what they have to say about your system, but also watch out for false
positives due to back-ported security patches (mostly for openssl, ssh,
..) in Debian.
(step 1)
If the machine
On Mon, 7 Feb 2005, Geoff Crompton wrote:
> >>You were rooted, you should reinstall. It's not worth risking that he
> >>left something that you didn't find.
"reinstalling" is the equivalent of a "script kiddie" and probably lower
in skill level of the script kiddie
see below for reasons if
Jeroen van Wolffelaar wrote:
On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote:
On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller
<[EMAIL PROTECTED]> wrote:
I'm considering taking it back online with a 2.4.29-grsec-hi, what do
you guys think?
You were rooted, you should reinstall.
also sprach Jeroen van Wolffelaar <[EMAIL PROTECTED]> [2005.02.07.0022 +0100]:
> however, if you're not THAT paranoid, I think you can do with
> locking down backup account, checking all files writeable by
> backup (all files with recent ctime?), and places like /var/tmp,
> /tmp, etc.
Once an atta
On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote:
> On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller
> <[EMAIL PROTECTED]> wrote:
> > I'm considering taking it back online with a 2.4.29-grsec-hi, what do
> > you guys think?
>
> You were rooted, you should reinstall. It's not w
Sounds like you need to read the cert.org article on how to respond to
system intrusions. See
http://www.cert.org/security-improvement/modules/m06.html.
Good luck,
Scott Edwards
http://www.daxal.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Conta
On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller
<[EMAIL PROTECTED]> wrote:
> I'm considering taking it back online with a 2.4.29-grsec-hi, what do
> you guys think?
You were rooted, you should reinstall. It's not worth risking that he
left something that you didn't find.
--
Michael A. M
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi everybody,
guess it was my time - this time...
Ok .. about 4 hours ago the following happened on one of my machines:
1) Somebody tried from one host (213.215.220.14) a dictionary attack
2) He/She/It got in using the user backup (I know.. I know ..)
3
Thomas Hochstein wrote:
Feb 6 08:11:27 celery postfix/smtpd[11548]: reject: RCPT from shawidc-mo1.cg.shawcable.net[24.71.223.10]: 550 <[EMAIL PROTECTED]>: User unknown; from=<> to=<[EMAIL PROTECTED]>
"<>", an empty Return-Path:/Envelope-Sender, so those are bounces /
non-delivery-notification
lars brun nielsen schrieb:
> Feb 6 08:11:27 celery postfix/smtpd[11548]: reject: RCPT from
> shawidc-mo1.cg.shawcable.net[24.71.223.10]: 550 <[EMAIL PROTECTED]>: User
> unknown; from=<> to=<[EMAIL PROTECTED]>
"<>", an empty Return-Path:/Envelope-Sender, so those are bounces /
non-delivery-noti
Florian Weimer wrote:
in the last 3 days, one of our mx domains has been the target of the
following ( the real domainname replaced by DOMAIN.XX ) :
These are just regular spamming attempts. Nothing to worry about.
it's the network connection part of it that baffles me. we're past the
tcp
* lars brun nielsen:
> in the last 3 days, one of our mx domains has been the target of the
> following ( the real domainname replaced by DOMAIN.XX ) :
These are just regular spamming attempts. Nothing to worry about.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscrib
hi,
in the last 3 days, one of our mx domains has been the target of the following ( the real domainname replaced by DOMAIN.XX ) :
Feb 6 08:11:27 celery postfix/smtpd[11548]: reject: RCPT from shawidc-mo1.cg.shawcable.net[24.71.223.10]: 550 <[EMAIL PROTECTED]>: User unknown; from=<> to=<[EM
19 matches
Mail list logo
