Quote: |
Examine log files |
Quote: |
Look for setuid and setgid Files |
Quote: |
Check system binaries |
Quote: |
Check for packet sniffers |
Quote: |
Examine files run by 'cron' and 'at'. |
Quote: |
Check for unauthorized services |
Quote: |
Examine /etc/passwd file |
Quote: |
Check system and network configuration |
Quote: |
Look everywhere for unusual or hidden files |
Quote: |
Examine all machines on the local network |
CoyoteX wrote: |
i can resist to make a reply here. sorry if it sounds like i want to bash several things in your post. its not meant that way, just maybe a proof that this wont help to get full security.
|
CoyoteX wrote: |
i use a logcleaner, you wouldnt see my connections then, not even what commands i typed in. only if it is a bad logcleaner, that leaves zeros behind, then you might have a chance to see me. |
CoyoteX wrote: | ||
errr, for what and how? compromised files maybe, yes, then use chkrootkit (get it at freshmeat.net) to remove those rootkits that infected your system. |
CoyoteX wrote: | ||
alright, how? ettercap and most others run stealthy. you wont even notice them. if there is a packet sniffer, you should change all your pwd, remove the whole OS and start over again. they sniffed your whole life. AIM, ICQ; mail pwd, even SSH pwds (yes, thats working, not talking about ssh2 ) |
CoyoteX wrote: | ||
wow, everywhere? man, im fux0red, now i wont have time to do anything else. whats an unusual file anyway? lets see, crackers mostly put them into /tmp, or even delete their packages. wont help to see if you got hacked, sorry. |
Code: |
#!/bin/sh
echo "Set_User-Id files found:" find / -type f -a -perm -4000 -exec ls -aslg {} \; echo "Set-Group-Id files found:" find / -type f -a -perm -2000 -exec ls -aslg {} \; echo "Device files not located in /dev:" find / \( -type b -o -type c \) -print | grep -v '^/dev' echo "World writable files and directories:" find / -perm -2 -exec ls -aslgd {} \; echo "Files owned by nonexistent user or group:" find / \( -nouser -o -nogroup \) -exec ls -aslgd {} \; |
CoyoteX wrote: |
do i get a cookie now? im sorry to look like an idiot with that reply, but it teaches you that you never know if you got hacked or not. tripwire isnt free, use their free replacement maybe, run nessus and nmap. thats all you can do. oh, maybe tiger scripts too. everything at freshmeat.net. btw, cert is only for the USA i guess? ah damn, im from russia im fux0red :\ |
CoyoteX wrote: | ||
first of all, you got hacked, and you wont notice:
i use a logcleaner, you wouldnt see my connections then, not even what commands i typed in. only if it is a bad logcleaner, that leaves zeros behind, then you might have a chance to see me. |
Code: |
#!/bin/sh echo "Set_User-Id files found:" find / -type f -a -perm -4000 -exec ls -aslg {} \; <snip> |
Quote: |
Samhain is my software of choice. |
cipher wrote: | ||
and why is that? compare to both tripwire and osiris... |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours