user tracking

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: plug@arcticmail.com
Date:  
Subject: user tracking
There are also other items in a standard rootkit.

You could spend time checking ls, ps, top, sum, yada
yada yada, against your pristine versions on read-only
installation media (after booting into single-user
mode on pristine read-only trusted media (and ONLY
running binaries from said media)), but IMHO your best
bet after a breach/rootkit incident is to take off and
nuke the site from orbit. It's the only way to be sure.

I'm sure there's a HOWTO on cleaning up your system
after a rootkit "upgrade." Check Google.


D

* On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote:
> Thanks for the responses. I never know about the command "last". Very
> cool. I've already found out most of what I needed. It was some guy over
> in Russia. Those punks! :-) He left some cool utilz on the hard drive
> for me though. A login replacement that logs all usernames and passwords
> and a in.ftpd replacement. That's how he got in in the first place. I
> was running wu-ftpd 2.5.x... I already know there's tons of documented
> exploits with that verison. I've just upgraded to wu-ftpd 2.6 so that
> should slow 'em down a little bit.
>
> Don
>
> On 26 Sep 2000, Bill Warner wrote:
>
> > This information is located in the /etc/shadow file. it is refrenced
> > in the standard unix time thing (seconds sense jan 1 1970) check
> > man shadow for more details
> >
> > Bill Warner
> >
> > > Hey guys.
> > >       At login I get a printout of when the last login occured.  Where
> > > is that info stored?  I want to check out a user on the system but
> > > don't want to log in as them.  One of the machines I work with had the
> > > root account compromised.  It's just running a few mushes so it's not that
> > > big of deal but I don't want it happening again.  I went through it with a
> > > fine tooth comb and wouldn't mind it if any of you guys tried to whack at
> > > it...  Lemme know what you find.  The IP is 205.216.140.17

> > >
> > > Don