TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:953] security



yeah, I assumed from the start that they would have a copy of passwd, so I changed every
machine in the lab.

serge

Ben Kochie wrote:

> yep.. most likely a "script kiddie" these are usualy high school students,
> or college students who have way too much free time, and very low morals.
> all they do is watch bugtraq maling lists, and download easy to use
> scripts that give them root acces.. they probably downloaded your
> /etc/passwd and shadow to run through a cracker.. so you will wnat ot not
> use the same passwords again. :(
>
> On Thu, 20 Aug 1998, Serge M. Egelman wrote:
>
> > please do put them on the site.  Thanks for your help.  I think that it must have
> > been someone who was realtively new because they didn't even touch the logs (how I
> > found them), it turns out they came in from some ISP called bbn.com (a really big
> > isp for big corporations), from the octane they went to other universities and
> > other machines in that lab (my linux box was one).  We already contacted the U
> > computer security people and they said they'd talk to people at bbn about a
> > trace.  But I still want to talk to the FBI.
> >
> > serge
> >
> > Bob Tanner wrote:
> >
> > > Quoting Serge M. Egelman (serge@egel2.med.umn.edu):
> > > > a couple days ago someone hacked into my dad's octane (he was stupid and
> > > > forgot to delete the 'demo' account on there).  anyways, they set up snffing
> > > > and got onto my linux box, now I have to completely reinstall linux (along
> > > > with irix) because the security has been compromised.  Anyways, my question
> > > > is: Is there any other way of securing a system besides deleting the
> > > > defaults, shadowing the passwords, and getting rid of anon ftp?  Also, is it
> > > > worth it to contact the fbi or the secret service (I think they're the ones
> > > > who handle computer crime now?)?
> > >
> > > Easiest, but most expensive is to get an Ethernet switch. If a hacker
> > > (more then likely a script kiddie) gets into one box and sets up a
> > > sniffer the switch will prevent them from getting all of your Ethernet
> > > traffic since it only send traffic to each box that is destined for
> > > each box. Unlike a shared hub where one box sees all traffic for that
> > > segment. My recommendation is a BayNetwork 350T.
> > >
> > > Next, install ifstatus and run it every 5 minutes from cron. From
> > > ifstatus README
> > >
> > > This program can be run on a UNIX system to check the network interfaces
> > > for any that are in debug or promiscuous mode.  This may be the sign
> > > of an intruder performing network monitoring to steal passwords and the
> > > like (see CERT Advisory CA-94:01).
> > >
> > > Next install swatch to monitor your syslog output. Key off of
> > > important information. Have it email and page you on important events.
> > > Like telnet/ssh connects from root.
> > >
> > > Next install and use the tcpwrappers. Deny all connections from root
> > > to machines, like ALL: root@ALL: DENY. Run a mostly closed system.
> > > Meaning be default you cannot get in, unless you are explicitedly let
> > > in.
> > >
> > > Finally install tripwire. To detect any changes to files that should
> > > not change.
> > >
> > > I can put all these tool onto the tclug site if you have trouble
> > > finding them.
> > >
> > > >
> > > > serge
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> > > > For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> > > > Try our website: http://tclug.real-time.com
> > >
> > > --
> > > Bob Tanner <tanner@real-time.com>       | Phone : (612)943-8700
> > > http://www.real-time.com                | Fax   : (612)943-8500
> > > Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> > > For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> > > Try our website: http://tclug.real-time.com
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> > For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> > Try our website: http://tclug.real-time.com
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> Try our website: http://tclug.real-time.com