[CLUE-Tech] Hack attempt

[Brandon N]

--- Gus Huber <gus at pbx.org> wrote:
> One of the easiest ways to detect most hacks is to load a new copy of
> 
> 'find' and look for files modified after the suspected incident.  
> Unless the intruder is creative (IE kernel modifications to not
> show files, libc replacements, etc) this will probabaly show
> up files left by the intruder.  They could also have cleaned
> well and changed the times on binarys infected, but if you have
> good md5 hashes of your binarys that match you should be fine.
> 
> However, most likely the 'hacker' was using one of the many
> automated 'cracking tools' that also send DOS attacks.  chances
> are your system is fine, and unless it houses 'important data',
> the intruder will most likely not return..

That isn't necessarily true.  The prime reason for hacking home users
is to use thier machines as staging points.  From your machine he can
attack other machines with little chance of it being traced back to
him.  I've also seen home machines being used as filestores for MP3's
and Warez.  While I worked from @home there were more than a few times
I saw machines being used for that purpose without the user ever
knowing.  By far the best thing to do is install tripwire after you do
the initial install of the machine.  Use should then run it off of a
floppy once a week or anytime you suspect the machine has been
comprimised.

Brandon


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/