On Wed, 28 May 2003, Ricardo Toma wrote:
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that?
What about setting up a script to email his bash log file (and other log files) to your external email account, on a seperate remote machine, each time he does something? Would this be a safe thing to do? Don't want to email rogue scripts to other peoples mail servers. You should have copies of his logs then, that he is not able to delete. You can retrieve them, when you collect your email from the remote mail server. Just an idea. I have not tried this in practice, as I'm the only user (AFAIK!) on my machine. I don't know what security issues would be involved. You would get a new email for each action performed bt the attacker. You could then check and delete the emailed log files, and save the ones you want to keep for later use. Regards - Keith Roberts PS are you using the shadow password suite as well?