user tracking

plug@arcticmail.com plug@arcticmail.com
Tue, 26 Sep 2000 13:35:42 -0700


At a talk that Jon "Maddog" Hall gave at MCC, he
spoke of a University here in the US that was
using a cron job on a Linux box to re-image (using
"dd") the hard disks of ALL M$-based systems in
the computer center EVERY NIGHT.

Of course, within minutes of the re-imaging process
I'm sure that the M$ boxen were re-breached and
chock full of virii.  :)


D

* On Tue, Sep 26, 2000 at 12:53:39AM -0700, Kevin Brown wrote:
> Hmm, I start a job in the CC next monday doing sysadmin work for a small group
> of people at ASU.  My job is basically to take over that part of their work so
> they can devote their time to a program they are writing.  Looks like I will be
> handling Solaris, BSD, linux, NT and 2000.  Security is an issue that I will be
> facing and it's not something I've spent much time worrying about.  My systems
> are behind a cisco router 675 (not that it's very secure, but it does have a
> changing external ip).  Haven't done much even when the router was in bridging
> mode (configured ipchains to only allow forwarding from the internal network if
> destination was not on the internal network and to ignore any external requests
> that weren't initiated internally)  Kinda simplistic, but the box was there just
> to do masquerading for my 9 other systems in the house (NT, Win98, Linux, 2000
> server, etc...).
> 
> Without doing an 'rm -rf *' or 'format c:', what are some good sites or utils
> for aiding in tightening the hatches on a system (i.e. how-to's, or sites
> similar to http://www.securityfocus.com).  
> 
> Also I will be working on Automation of the NT systems to make sure they are all
> running the same software, anyone have any experience with this or have pointers
> for how.  I vaguely recall something for the win95 resource kit doing this, damn
> wish I hadn't gotten rid of it.
> 
> > We were going to implement a tool at work to monitor 20-30 various nixen
> > boxes (DEC, Linux, BSDs [we need more of these <g>]) using some csh
> > scripting, ssh, and rsync, and, tie it into our bb stuff.
> > 
> > I was reading something and came across this link which does almost the same
> > task that we want, except with perl.
> > http://perl.oreilly.com/news/sysadmin_0800.html
> > 
> > The proggies you mentioned below were on the top of our list to monitor.
> > We've got boxes (tier 3...we're not the admins) that get broken into fairly
> > often (ASU is a favored target for douche bags, i mean script kiddies).
> > Usually it's one break-in and we're the admin or they don't get their ether
> > cable back. EG, last week, a tier-3 system was compromised and flooded an
> > entire subnet, spiked the router to 100% for a few hours, and pissed off two
> > TSAs.
> > 
> > -----Original Message-----
> > From: plug-discuss-admin@lists.PLUG.phoenix.az.us
> > [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of
> > plug@arcticmail.com
> > Sent: Monday, September 25, 2000 10:59 PM
> > To: plug-discuss@lists.PLUG.phoenix.az.us
> > Subject: Re: user tracking
> > 
> > There are also other items in a standard rootkit.
> > 
> > You could spend time checking ls, ps, top, sum, yada
> > yada yada, against your pristine versions on read-only
> > installation media (after booting into single-user
> > mode on pristine read-only trusted media (and ONLY
> > running binaries from said media)), but IMHO your best
> > bet after a breach/rootkit incident is to take off and
> > nuke the site from orbit.  It's the only way to be sure.
> > 
> > I'm sure there's a HOWTO on cleaning up your system
> > after a rootkit "upgrade."  Check Google.
> > 
> > D
> > 
> > * On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote:
> > > Thanks for the responses.  I never know about the command "last".  Very
> > > cool.  I've already found out most of what I needed.  It was some guy over
> > > in Russia.  Those punks!  :-)  He left some cool utilz on the hard drive
> > > for me though.  A login replacement that logs all usernames and passwords
> > > and a in.ftpd replacement.  That's how he got in in the first place.  I
> > > was running wu-ftpd 2.5.x... I already know there's tons of documented
> > > exploits with that verison.  I've just upgraded to wu-ftpd 2.6 so that
> > > should slow 'em down a little bit.
> > >
> > > Don
> > >
> > > On 26 Sep 2000, Bill Warner wrote:
> > >
> > > > This information is located in the /etc/shadow file.  it is refrenced
> > > > in the standard unix time thing (seconds sense jan 1 1970) check
> > > > man shadow for more details
> > > >
> > > > Bill Warner
> > > >
> > > > > Hey guys.
> > > > >       At login I get a printout of when the last login occured.  Where
> > > > > is that info stored?  I want to check out a user on the system but
> > > > > don't want to log in as them.  One of the machines I work with had the
> > > > > root account compromised.  It's just running a few mushes so it's not
> > that
> > > > > big of deal but I don't want it happening again.  I went through it
> > with a
> > > > > fine tooth comb and wouldn't mind it if any of you guys tried to whack
> > at
> > > > > it...  Lemme know what you find.  The IP is 205.216.140.17
> > > > >
> > > > > Don
> > 
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
> > to the list quickly and you use Netscape to write mail.
> > 
> > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > 
> > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss