[CLUE-Tech] Hacker question
Jed S. Baer
thag at frii.com
Thu Jul 31 18:49:34 MDT 2003
On Thu, 31 Jul 2003 16:28:29 -0600
Mike Staver <staver at fimble.com> wrote:
> I have had 3 RedHat 7.3 boxes apparently comprised on my network this
> week alone.
Mike,
This doesn't help much for your current situation, but you should consider
running TripWire. http://tripwire.com/ -- Open Source version:
http://sourceforge.net/projects/tripwire
No, it won't do anything in the way of prevention, but it will identify
any files changed, added, or deleted on your machines. Knowing these
files, you can sometimes backtrack to the specific attack which
compromised your machine(s). Different attacks, or rootkits, have certain
"signatures" or "footprints" which can identify them (not always). Then,
knowing the attack used, you can better block it, and others like it, in
the future.
Also, if you run it every night, you know right away in the morning that
things have changed, so you aren't waiting for other evidence to get
noticed, such as your IRC traffic, or other undesirable things.
Yeah, TripWire can be a pain to administer. Probably worth it on a
production box.
jed
--
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier
More information about the clue-tech
mailing list