On Monday 09 August 2010 21:25:37 Dale wrote: > Robert Bridge wrote: > > On Mon, Aug 9, 2010 at 8:09 PM, Mick wrote: > >> There have been discussions on this list why sudo is a bad idea and sudo > >> on *any* command is an even worse idea. You might as well be running > >> everything as root, right? > > > > sudo normally logs the command executed, and the account which > > executes it, so while not relevant for single user systems, it STILL > > has benefits over running as root. > > > > RobbieAB > > I don't use sudo here but I assume a admin would only know that a nasty > command has been ran well after it was ran? Basically, after the damage > has been done, you can go look at the logs and see the mess some hacker > left behind. For me, that isn't a whole lot of help. You still got > hacked, you still got to reinstall and check to make sure anything you > copy over is not infected. > > Assuming that they can erase dmesg, /var/log/messages and other log > files, whose to say the sudo logs aren't deleted too? Then you still > have no records to look at. > > I agree with the other posters tho, re-install from scratch and re-think > your security setup. That's the problem with any compromise worth its salt, all logs will be tampered to clear traces of interfering with your system. Monitoring network traffic from a healthy machine is a good way to establish suspicious activity on the compromised box and it also helps checking for open ports (nmap, or netcat) to find out what's happening to the compromised box. -- Regards, Mick