TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:953] security



yep.. most likely a "script kiddie" these are usualy high school students,
or college students who have way too much free time, and very low morals.
all they do is watch bugtraq maling lists, and download easy to use
scripts that give them root acces.. they probably downloaded your
/etc/passwd and shadow to run through a cracker.. so you will wnat ot not
use the same passwords again. :(

On Thu, 20 Aug 1998, Serge M. Egelman wrote:

> please do put them on the site.  Thanks for your help.  I think that it must have
> been someone who was realtively new because they didn't even touch the logs (how I
> found them), it turns out they came in from some ISP called bbn.com (a really big
> isp for big corporations), from the octane they went to other universities and
> other machines in that lab (my linux box was one).  We already contacted the U
> computer security people and they said they'd talk to people at bbn about a
> trace.  But I still want to talk to the FBI.
> 
> serge
> 
> Bob Tanner wrote:
> 
> > Quoting Serge M. Egelman (serge@egel2.med.umn.edu):
> > > a couple days ago someone hacked into my dad's octane (he was stupid and
> > > forgot to delete the 'demo' account on there).  anyways, they set up snffing
> > > and got onto my linux box, now I have to completely reinstall linux (along
> > > with irix) because the security has been compromised.  Anyways, my question
> > > is: Is there any other way of securing a system besides deleting the
> > > defaults, shadowing the passwords, and getting rid of anon ftp?  Also, is it
> > > worth it to contact the fbi or the secret service (I think they're the ones
> > > who handle computer crime now?)?
> >
> > Easiest, but most expensive is to get an Ethernet switch. If a hacker
> > (more then likely a script kiddie) gets into one box and sets up a
> > sniffer the switch will prevent them from getting all of your Ethernet
> > traffic since it only send traffic to each box that is destined for
> > each box. Unlike a shared hub where one box sees all traffic for that
> > segment. My recommendation is a BayNetwork 350T.
> >
> > Next, install ifstatus and run it every 5 minutes from cron. From
> > ifstatus README
> >
> > This program can be run on a UNIX system to check the network interfaces
> > for any that are in debug or promiscuous mode.  This may be the sign
> > of an intruder performing network monitoring to steal passwords and the
> > like (see CERT Advisory CA-94:01).
> >
> > Next install swatch to monitor your syslog output. Key off of
> > important information. Have it email and page you on important events.
> > Like telnet/ssh connects from root.
> >
> > Next install and use the tcpwrappers. Deny all connections from root
> > to machines, like ALL: root@ALL: DENY. Run a mostly closed system.
> > Meaning be default you cannot get in, unless you are explicitedly let
> > in.
> >
> > Finally install tripwire. To detect any changes to files that should
> > not change.
> >
> > I can put all these tool onto the tclug site if you have trouble
> > finding them.
> >
> > >
> > > serge
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> > > For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> > > Try our website: http://tclug.real-time.com
> >
> > --
> > Bob Tanner <tanner@real-time.com>       | Phone : (612)943-8700
> > http://www.real-time.com                | Fax   : (612)943-8500
> > Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> > For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> > Try our website: http://tclug.real-time.com
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> Try our website: http://tclug.real-time.com
>