There is a really slick tool called "Snare for Linux" ("Snare for Windows" also) that works like Tripwire in realtime mode. If you configured it to alert you on any write attempt on a binary or any write on important config files, it would put an entry into syslog. Then your log watcher (swatch comed to mind) would page you as soon as anything hinky happened. Sure, the attack would already be underway, but at least you could contain the damage quicker. If you have users on a box, the same idea can be applied to watch for lesser attacks as well. Of course, keeping the box patched . . . firewall . . . minimal services . . . yada yada yada. Regards, George Toft Computer Security AGD,llc www.agdllc.com 623-203-1760 Liberty Young wrote: > > On Fri, 2003-12-05 at 16:39, alandd@consultpros.com wrote: > > > what is pan2? > > > We just got hacked, and looking in the root's .bash_history, they > > > downloaded pan2 from a .ro server, and it's still running. I was just > > > wondering what that is..i can't seem to get a clear answer from google. > > > > Side question that you probably want to ignore for now: Could you tell us > > about your setup and how you think the cracker got in? > > > > I am just curious about the whole story. How are you connected to the > > net? What firewall technology you were using? Was the box at home, work, > > co-lo? What OS? How did you discover the break-in? Etc. > > > > Right now, you need to do investigations and get secure again. But, at > > some point, I'd like to learn from your experience. > > > > Alan > > It was a work box, behind a DSL line and in the DMZ..my main server is > pretty hardened, and has its own firewall in front of it. The hacked box > was our web-server. > > My guess is it was a rootkit, some script-kiddie tool. Honestly, i was > asking for it. It was an old Mandrake 8.0 box i set up a few years ago, > and updating rpms is a pain in the ass unless you're willing to upgrade > your whole OS. Nothing new or exciting. I _was_ planning on upgrading it > to debian...i guess that priority just shot up to #1. > > I could tell cuz it was a very sloppy hack...php.ini was changed to > default, so that broke some stuff as my includes were in a non-default > location. That's what caused me to start looking into the box. The date > on that file was yesterday...and nobody here at work changed it. > > /sbin/init also had a date of yesterday, too...which not only put up a > red-flag in my head, but also set off an alarm like a broken > car-alarm..that zaps passerbys and kicks them...Ya. it started off as > one of those days. > > mandrake has some nice security stuff, such as medusa. It logs open > network connections and logs them...the third of december had normal > stuff (http, ftp, ssh), and today had a program called dsniff-st > (network auditing tool) listening, as well as for other anonymous > broad-cast listening programs running. > > Like i said, i had a suspision with php.ini being changed, but the > biggest flag raised was a changed init...i'm also sure a kernel-module > MUST be installed, but of course, it's obfuscated. > > Right now, i'm working on installing debian on a different machine, then > i'm going to take the hard-drive of the old machine and metaphorically > take it out back and shoot it. I was planning on installing snort on a > few machines, (standalone ndis, with a hdis on our main server)...so as > things install, i'm reading "Intrustion Detection with Snort"..Kozial, > sams publishing. > Instead of coding this weekend, i guess i'll be reading that instead. > > As i'm reading the book, a theme keeps getting repeated...you have to > know your infrastructure. Snort isn't a silver bullet, and is only > usefull if you understand what is and isn't normal behaviour. If i was > away, a co-worker probably wouln't have bothered to know why included > files weren't there, and wouldn't become suspicious as why php.ini was a > changed date..which caused me to look /sbin/init, a very commonly > changed file in rooted boxen. > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss