[CLUE-Tech] Hack attempt
Grant Johnson
grant at amadensor.com
Mon Aug 6 23:22:59 MDT 2001
> One of the easiest ways to detect most hacks is to load a new copy of
> 'find' and look for files modified after the suspected incident.
> Unless the intruder is creative (IE kernel modifications to not
> show files, libc replacements, etc) this will probabaly show
> up files left by the intruder. They could also have cleaned
> well and changed the times on binarys infected, but if you have
> good md5 hashes of your binarys that match you should be fine.
Already did this in single use mode. It is looking more and more like
someone was port scanning (again) and by chance the other machine locked
up 15 minutes later. There is no evidence of even a port scan on the
locked machine. Or even connections from the scanned machine.
>
> However, most likely the 'hacker' was using one of the many
> automated 'cracking tools' that also send DOS attacks. chances
> are your system is fine, and unless it houses 'important data',
> the intruder will most likely not return..
>
I think this cracker was just port scanning. I don't know what caused
the lockup.
More information about the clue-tech
mailing list