RE: AW: [suse-security] Log/Audit all user commands

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Eduard Avetisyan [mailto:dich_ed@yahoo.com] Sent: Viernes, 30 de Mayo de 2003 06:34
Dear friends,
I followed this discussion a little bit, and here's my 2 cents:
bash_history logs only commands one typed in bash. What if he changes to tcsh or whatever else? "Whatever else" includes also graphical helpers, like konqueror or nautilus that give you a lot of freedom to run or modify any files, while you can't log any actions... and tty sniffer won't help either.
I agree with the statement that you don't have to let any intruder play with your machine, since it may well be that he HAS already installed sniffers (tty or network) and stuff like that, so any action you take now will be well known to him. So better really unplug the network, shut off the machine, boot from CD (if you'd like to trace back changes he made to your system), and reinstall...
Good luck, Eduard
__________________________________ Do you Yahoo!?
On Fri, 30 May 2003, Ricardo wrote:
It's OK that he plays with the network. I am using two net's and that one he's using isn't important. This can help me to see what he is trying to do, what a hacker does, etc. and more important how to act and correct. So, this is just a "demo" for me. It's real, but I can see that as a demo. So, if you want to help and participate (I give you all the info he is doing)... Thanks again,
Ricardo
-----Original Message----- From: Jeff Harris [mailto:linux@rallycentral.us] Sent: Friday, May 30, 2003 9:34 AM
IMO, it's never OK that unauthorized users "play with the network." They might be setting up a grand DOS that when the FBI tracks down, is originating with your server, and _you_ may spend time in the pokey.
It would be much more beneficial to unplug the network and reinstall the OS and all security updates. If you really want to know how a cracker works, you might want to try a legally cracking into systems: http://www.happyhacker.org/wargame/index.shtml
-- On Fri, 30 May 2003, Sturgis, Grant wrote:
But this situation, from what Ricardo wrote, is more like a honeypot than an exploit.
If you're operating a Honeypot in the US or where other comparable laws exist, you might still spend some time in the pokey: http://www.securityfocus.com/printable/news/4004 (Apparently, there's some naughty text in this message. I keep getting a "content denied" message from someone.) - -- Registered Linux user #304026. "lynx -source http://www.rallycentral.us/~linux/jharris.asc | gpg --import" or "gpg --keyserver pgp.mit.edu --recv-key BD23A31E" Key fingerprint = FB8C 3210 8DE1 78F4 6505 5918 0C34 BE94 BD23 A31E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQE+15pADDS+lL0jox4RAkLIAJ9VuPdwMlB3CbIt2ANoE+9xUa57MgCdFbBU RQMVT5GArzwmWzGKOReK7Cc= =4YCi -----END PGP SIGNATURE-----
participants (1)
-
Jeff Harris