Re: intrusion tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marko Vojinovic <vvmarko@xxxxxxxxx> writes:
> Shouldn't this be the other way around? I mean, ordinary user gets compromized 
> first, and then root gets compromized later?

Oh, I'm sure there was an initial user-level attack that I haven't found
yet and probably won't.  Apache will all that dynamic stuff run from the
web server scares me.  I don't think the guys running the system
appreciated how much of a security vulnarability that is.

> If the intruder has root access, he has absolutely no need to
> brute-force the user passwords through ssh. It is enough to change the
> password interactively or by modifying /etc/shadow. That is, unless
> the intruder is just plain stupid. ;-)

It was most likely a double infection with the second intruder just
taking advantage of the now lower security.

> The only safe way to track and analyze intrusion details of a live
> system is to have the machine log all activities to another machine on
> the net. That way the logs are physically append-only, and even after
> the intrusion happens, the intruder has no way of deleting the logs
> and otherwise covering up how the machine got compromized.

Agreed.

I was just wondering if there is a package that already does that or
something close.

> Other than that, once the intruder becomes root, all bets are off,
> there is no safe way to know anything about the intrusion and what
> exactly happened. The only thing you can do is wipe the hard disk and
> reinstall the system from scratch. Forensic research of a rooted
> system is (a) very painful and tough job (even for experts) and (b)
> almost impossible, in most cases.

I'll certainy take a snapshot of the disk and pick at it as inspiration
strikes.  If it was a server attack (apache? dovecot?), there might be
probes in log file.  They might have been lazy and not deleted the log
entries.

-wolfgang
-- 
Wolfgang S. Rupprecht      http://www.wsrcc.com/wolfgang/      (IPv6-only)
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux