user tracking

Kevin Brown kevin_brown@uswest.net
Tue, 26 Sep 2000 00:53:39 -0700 

Hmm, I start a job in the CC next monday doing sysadmin work for a small group
of people at ASU.  My job is basically to take over that part of their work so
they can devote their time to a program they are writing.  Looks like I will be
handling Solaris, BSD, linux, NT and 2000.  Security is an issue that I will be
facing and it's not something I've spent much time worrying about.  My systems
are behind a cisco router 675 (not that it's very secure, but it does have a
changing external ip).  Haven't done much even when the router was in bridging
mode (configured ipchains to only allow forwarding from the internal network if
destination was not on the internal network and to ignore any external requests
that weren't initiated internally)  Kinda simplistic, but the box was there just
to do masquerading for my 9 other systems in the house (NT, Win98, Linux, 2000
server, etc...).

Without doing an 'rm -rf *' or 'format c:', what are some good sites or utils
for aiding in tightening the hatches on a system (i.e. how-to's, or sites
similar to http://www.securityfocus.com).  

Also I will be working on Automation of the NT systems to make sure they are all
running the same software, anyone have any experience with this or have pointers
for how.  I vaguely recall something for the win95 resource kit doing this, damn
wish I hadn't gotten rid of it.

> We were going to implement a tool at work to monitor 20-30 various nixen
> boxes (DEC, Linux, BSDs [we need more of these <g>]) using some csh
> scripting, ssh, and rsync, and, tie it into our bb stuff.
> 
> I was reading something and came across this link which does almost the same
> task that we want, except with perl.
> http://perl.oreilly.com/news/sysadmin_0800.html
> 
> The proggies you mentioned below were on the top of our list to monitor.
> We've got boxes (tier 3...we're not the admins) that get broken into fairly
> often (ASU is a favored target for douche bags, i mean script kiddies).
> Usually it's one break-in and we're the admin or they don't get their ether
> cable back. EG, last week, a tier-3 system was compromised and flooded an
> entire subnet, spiked the router to 100% for a few hours, and pissed off two
> TSAs.
> 
> -----Original Message-----
> From: plug-discuss-admin@lists.PLUG.phoenix.az.us
> [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of
> plug@arcticmail.com
> Sent: Monday, September 25, 2000 10:59 PM
> To: plug-discuss@lists.PLUG.phoenix.az.us
> Subject: Re: user tracking
> 
> There are also other items in a standard rootkit.
> 
> You could spend time checking ls, ps, top, sum, yada
> yada yada, against your pristine versions on read-only
> installation media (after booting into single-user
> mode on pristine read-only trusted media (and ONLY
> running binaries from said media)), but IMHO your best
> bet after a breach/rootkit incident is to take off and
> nuke the site from orbit.  It's the only way to be sure.
> 
> I'm sure there's a HOWTO on cleaning up your system
> after a rootkit "upgrade."  Check Google.
> 
> D
> 
> * On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote:
> > Thanks for the responses.  I never know about the command "last".  Very
> > cool.  I've already found out most of what I needed.  It was some guy over
> > in Russia.  Those punks!  :-)  He left some cool utilz on the hard drive
> > for me though.  A login replacement that logs all usernames and passwords
> > and a in.ftpd replacement.  That's how he got in in the first place.  I
> > was running wu-ftpd 2.5.x... I already know there's tons of documented
> > exploits with that verison.  I've just upgraded to wu-ftpd 2.6 so that
> > should slow 'em down a little bit.
> >
> > Don
> >
> > On 26 Sep 2000, Bill Warner wrote:
> >
> > > This information is located in the /etc/shadow file.  it is refrenced
> > > in the standard unix time thing (seconds sense jan 1 1970) check
> > > man shadow for more details
> > >
> > > Bill Warner
> > >
> > > > Hey guys.
> > > >       At login I get a printout of when the last login occured.  Where
> > > > is that info stored?  I want to check out a user on the system but
> > > > don't want to log in as them.  One of the machines I work with had the
> > > > root account compromised.  It's just running a few mushes so it's not
> that
> > > > big of deal but I don't want it happening again.  I went through it
> with a
> > > > fine tooth comb and wouldn't mind it if any of you guys tried to whack
> at
> > > > it...  Lemme know what you find.  The IP is 205.216.140.17
> > > >
> > > > Don
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
> to the list quickly and you use Netscape to write mail.
> 
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss