Derek,
I would attend such a presentation.
-Adrian
On Wed, 2003-02-26 at 15:57, Derek Glidden wrote:
> On Wed, 2003-02-26 at 15:36, Kai Lien wrote:
> >
> > One of our boxes got hack two nights ago. I believe it was LKM and
> > chkrootkit agrees also. I suspected that the cracker was using port 443
> > (https) to access the box since nmap from another box did not show any
> > suspectable ports. I believe the cracker had used a bindtty.c utility to
> > get a telnet prompt on tty1 using port 443. chkrootkit shows there were 1
> > process hidden from ps command and 1 process hidden from readdir command.
> >
> > What tools are available to find out these hidden process?
>
> If you've been rooted and aren't absolutely positive that you have
> thoroughly scrubbed your system (through using a filesystem intrusion
> detection utility like Integrit or AIDE or Tripwire) your best (and only
> IMNSHO) recourse is to backup your data, put the install CD in the drive
> and blow the whole thing away and start over.
>
> Anything less and you risk having something left over on your system
> that will open it right back up. Particularly if you've been
> rootkitted.
>
>
>
> If there is interest, I could probably do some sort of Intrusion
> Detection presentation at one of the Tampa SLUG meetings coming up that
> would briefly cover Snort (NIDS(1)) and Integrit (FIDS(2)). I could
> probably dedicate about half an hour to a high-level overview of each
> and maybe even rig up some kind of demonstration on how they work if I
> can get access to a network or at least a switch I could plug a couple
> machines into.
>
> 1) Network Intrusion Detection System
> 2) Filesystem Intrusion Detection System
-- Adrian deLisser <adriand@tampabay.rr.com>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:54:33 EDT