Re: [gentoo-user] Re: Did I just get hacked???

["Shawn Singh" <callmeshawn@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2866 bytes --]

Grant,

I figured I should add this note. I'm recommending AIDE as something if you
get to the point where you feel like you've been hacked, you've done your
post-mortem, and are ready to rebuild, upon your rebuild AIDE might prove to
be handy in the future. It'd probably be useless on a system that has
already been compromised.

Later,

Shawn

On 2/12/07, Shawn Singh <callmeshawn@gmail.com> wrote:
>
> Grant,
>
> Maybe going forward (if you're not doing so already), one tool I've found
> to be useful in the past was AIDE. While it certainly won't prevent a
> break-in, it can certainly be useful when trying to find out what changed on
> your system.
>
> Later,
>
> Shawn
>
> On 2/12/07, Paul Sebastian Ziegler <psz@observed.de> wrote:
> >
> > Hi Grant,
> >
> > personally (but this is by far only ONE possible setup for your task)
> > I'd advise you to connect eth0 to wan through a box set up as a bridge
> > (try brctl). If that box has a good wireless card and good drivers (this
> >
> > mostly means "if that box isn't running Windows") you can also put that
> > wireless-card into promiscuous mode lock it to your chanel and ssid and
> > feed wireshark your WEP-Key or WPA-PSK for decryption.
> > If not, then you'll have to use a second box for the wireless sniffing.
> >
> > BTW. current rootkits won't just replace ps or some other tools. Good
> > rootkits do not run in userspace; they run in kernelspace. They directly
> >
> > intercept the function-calls. Just another thing to keep in mind while
> > trying to scan for them.
> >
> > hth
> > Paul
> >
> > Grant schrieb:
> > >> > A good rootkit will install a "ps" that won't show the 'bot
> > >> > processes.  The one time a machine of mine got hacked, netstat
> > >> > still worked, but I don't know why a hacked netstat couldn't be
> > >> > installed as well.
> > >>
> > >> > Looking through /proc/≤pid> is probably still reliable.
> > >>
> > >>
> > >> Hello Grant,
> > >>
> > >> I keep an old portable around, running wireshark and a flat hub.
> > >> You can set your ethernet address to 0.0.0.0 and fire up wireshark.
> > >>
> > >> You can then sniff any (ethernet) segment of your network for
> > >> nefarious traffic or male-configured network applictions.
> > >
> > > Ok, it sounds like the key to figuring this out is watching the
> > > outgoing network traffic for weird stuff.  eth0 is on the WAN and
> > > wireless ath0 is on the local subnet.  How would you monitor the
> > > outgoing traffic considering my setup?
> > >
> > > - Grant
> > > │ИМ╒▀╛z╦\x1e·з(╒╦&j)b·    bst==
> >
> > --
> > gentoo-user@gentoo.org mailing list
> >
> >
>
>
> --
> "Doing linear scans over an associative array is like trying to club
> someone to death with a loaded Uzi."
> Larry Wall




-- 
"Doing linear scans over an associative array is like trying to club someone
to death with a loaded Uzi."
Larry Wall

[-- Attachment #2: Type: text/html, Size: 4081 bytes --]