Security Incidents mailing list archives
Re: info
From: "W.G. Iyer" <guhan777 () yahoo com>
Date: Fri, 3 May 2002 17:27:17 -0700 (PDT)
I would like some opinions, advice, or info on: - is there any way to view records? webmin has a 'last logon' option, but now that /var/log has been blown away, its not working right..
The nature of the attack, i.e. box is r00ted indicates that you cannot trust any of the information you find with any certainity. With that said, you can check your /etc/syslog.conf file to see if there are any log files in a directory other than /var/log. You can also check services like Apache (httpd.conf) to see if they logged to a directory other than /var/log.
- any other recommendations? I'm pretty proficient in linux, but this is the first time ive ran into a hacked box. from my past reading, i know the steps are to try and recover any data not malformed and reinstall. any other pointers?
If your attacker was sloppy, you may find useful information in the users history file, .bash_history, especially those users with uid 0. If the hacked machine was behind a packet filter, or there is a sniffer on the line anywhere between the hacked box and the net, that you have access to, you can check those logs as well. Best of luck, Guhan __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com