[nzlug] compromised server?
yuri
yuridg at gmail.com
Sat May 12 17:48:12 NZST 2007
On 10/05/07, Michael J. Knox wrote:
> Log files, /var/log/, shell history of the users you have on the install
> are probably good places to start. Does sudo under ubuntu log to its own
> file? I am not sure, debian sarge doesn't by default. I use logwatch to
> tell me some of the above.
>
> apache logs, /var/log/apache2/, would probably provide useful insight.
Be aware that a cracker may have modified the logs to hide his tracks.
A cracker may also install cracked versions of tools like 'ps' to hide
any trojan services running on that box.
Placing a hub (or switch with a monitoring port) between the suspect
box and the router to the outside world will allow you to sniff
traffic with another computer.
Yuri
More information about the NZLUG
mailing list