intrusion tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once again I find myself trying to help someone piece together how an
intruder managed to get into their system.  The system was way out of
date (FC6) so it is no surprise that they got compromised.  What I can
tell, the intruder managed to get root which allowed them to remove the
iptables file and lower the protection on ssh to allow unix passwords.
The attacker then installed an ssh-probing client that was installed in
/root.  That lowered ssh security allowed a second intrusion at user
level (probably by password guessing) where an IRC bot was installed and
run from cron with normal user permissions.

I would have been nice to know when and how they initially got in.  The
site runs a handful of daemons (postix, named, ntp, apache, dovecot), so
any of them could have allowed the initial intrution.  They didn't have
selinux enabled, so that compounded problems.  Clearly the top level
answer is to just impress upon them the fact that they need to stay
current and keep selinux enabled.  It still would be nice to know how
the attackers got in though.

The real issue is that there isn't a good activity log.  While I can
install tripwire to watch for changed files, it probably won't tell me
how they got in.  Is there something that addresses that problem?  Some
poor sucker always has to be the first victim of a new attack.  It would
be nice to know which service to disable or reconfigure until a fix is
distributed.  Is there some way to track intruders that I'm missing?

-wolfgang
-- 
Wolfgang S. Rupprecht      http://www.wsrcc.com/wolfgang/      (IPv6-only)
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux