Hmmm. Warning: I have the feeling this is going to be a long email... There is a lot in your message that puzzles me. I am not sure I understand everything, but there are still a couple of points I'd like to raise with you. On Wed, 19 Dec 2001 20:47:05 -0600 (CST) Jude DaShiell <jdashiel@shellworld.net> wrote: > Your descriptive profile is incorrect. ??? Excuse me? I have no idea what you are talking about... > A hacker put linsniffer on my system and it repeatedly > broke email sessions and deleted the inbox messages. Excuse me again? Here is a description of Linsniffer I was able to find: linsniffer: linsniffer is [a] simple sniffer whose main purpose is to capture usernames and passwords. linsniffer can be found at [... Address deleted ...] As you can see above, by definition, a sniffer is designed to only do one thing: get the names/passwords pair. As such, they do not interfere with other programs -- if linsniffer interfered with your email program, then the person who installed it was pretty incompetent (a "script kiddy"). Then again, if linsniffer was getting name/password from your network, that probably means you were still using telnet or ftp or some other insecure protocol. If there is one rule that should always, always, always be applied these days it is to use OpenSSH and scp for remote access and remote file copy. > One time when I was rebooting I noticed the error linsniffer > can't run. See above: why did linsniffer crash on startup? Because the person who installed probably did a very bad job of it! And why on earth are you rebooting your system? My Linux system stays on all the time and only reboots when we have a major crash of the electrical system (which happens too often for my taste, but that's another story...). > locate was the only tool to find anything and it was a > subdirectory that couldn't be deleted off of my /dev > directory /dev/ida/linsniffer that contained lots of > files. I thought linsniffer was supposed to install in the /usr/share/man directories. To create a /dev/xxx/linsniffer directory is to court disaster -- again, that points in the direction of a script kiddie, not a seasoned hacker. > So I wiped the speakup system out ??? Excuse me? Don't you think you should have searched very carefully your system for trojaned binaries and other backdoors? Take a look at this analysis of a hacked system: http://www.spirit.com/Network/net0301.html And you'll see why it is extremely important to go through a hacked system -- if a hacker knows his stuff (and even if he does not -- rootkits are a dime a dozen these days) he/ she will have compromised your system in more ways than one! And if has installed more on your system than just linsniffer, you may be in for a very bad surprise... You can read thousands of horror stories on the Internet about what can go wrong in case a hacker really has burrowed deep into your system... > and later did some web research on linsniffer. A very good thing to do, indeed. > I found a site called http://www.attrition.org that referenced > linsniffer. Google can spit out many more answers than this. Example: "Searched the web for Linsniffer. Results 1 - 10 of about 801" > So these hackers are writing their own web sites too and > making the information and probably the scripts available > to anyone that can do a web download. ??? Excuse me? Where have you been hiding for the past ten years? Of course they have been doing that! Why do you think people talk about "script kiddies"? Because idiotic 15 years old can now hack into most (unprotected) servers using lots of scripts written by people who are far more intelligent and competent than they are. Read: http://project.honeynet.org for some tactics that can be used against you. First of all, http://www.attrition.org is a very good web site that contains a lot of information on computer security. It is highly recommended reading for anyone who is running a system connected to the Internet in a permanent manner. And, considering the fact that your address is "@shellworld.net", I think you should read this complete web site unless you want your machine to be hacked again and again and again and ... As a matter of fact, I also recommend that you start right now, by reading the following in that order: http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Security-Quickstart-HOWTO.html http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Security-Quickstart-Redhat-HOWTO.html http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Security-HOWTO.html http://www.sans.org/top20.htm http://www.cisecurity.org/scanning_tool.html http://www.cac.washington.edu/People/dad/ (A lot of links) http://staff.washington.edu/dittrich/talks/qsm-sec/what_unix.html http://www.attrition.org (Computer security with an attitude) http://www.linuxsecurity.com http://www.securityfocus.com http://www.hackingexposed.com (This is the BIBLE of hacking!) Most of these links should be accessible by vision-handicapped persons. If you (or any other person on this list) has any questions, I'll try to answer them as best as I can. Feel free to email me. /-------------------------------------\ | Gil Andre -- Technical Writer | |Knox Software: http://www.arkeia.com | | email: gandre@arkeia.com | \-------------------------------------/