On Sun, Jun 02, 2002 at 10:41:36AM +0800, Huter.Liu wrote:
> hi,Hal Burgiss!
> I know how to fix a damaged system,I'll install rh7.3 and
use vsftpd to do ftp server,and I'll change ftp port to 2323,
just open ftp to internal networks(use ipchains)....I'm not
the manager of this damaged system,my friend manage it,just a
few days ago he found the ps and netstat command can't use,so
he found his system is cracked,now we want found out the
cracker,my friend is good at programming,now he've write a
programme to record the attempt quest to port 21 and 23,but
I want gather more information from system log or other
relate things......
You word wrap didn't.
> Thank you very much,hehe.
If you want to play with the system and learn, fine. First,
go get "chkrootkit" <www.chkrootkit.org>, build it and run it. See
what it says about any rootkits. Before anyone chimes in about running
these tools on a compromised system, I'll point out that it is quite
effective for the rootkits that are listed and is capable of spotting
numerous others. There's no guarantee that you are not infested with
one it doesn't spot, but the idea is to look for and eliminate the
ones it does. You can do this on the running machine, you just still
can't trust it to be clean. That's why you follow this course if you
want to invest some time in learning. You can clean it up pretty
good. I've done this remotely in the past and subsequent scanning and
IDS testing indicated the resulting system was clean. Still, you
don't want to do this if you can avoid it. It's time consuming and
educational to try, though.
As far as tracking the perps go, the safest thing is the have
a second box which can sniff the network. Trying to monitor their
behavior from a compromised system which you have live hostiles on
it is NOT a good idea at all. Several in the underground have been
know to turn the tables on their watchers and later post conversations
of the sys admins having conversations about the compromise investigation.
There are tools out there for reassembling sniffed data streams to
recover conversations. Trying to invest time in programming booby
trapped programs can be an exercise in futility. If you want to
lay some goodies about for them to find, you might check out the
deception tool kit (sorry, I don't have the URL handy, Goggle is
your friend or you might try some security sites like Security Focus).
Again, you monitor their behavior from another system.
Going down this road, what you are doing is setting up a honeypot.
The question becomes, what do you intend to do with the data? If you
just want to do this for a learning experience, enjoy. You'll find
more information on honeypots up at the HoneyNet Project, www.honeynet.org.
If you are trying to track down the perpetrators, ask yourself why.
It doesn't sound like you have any grounds for legal action. Was there
any monitary loss, did they "damage" information on the system, did
they steal anything (beyond the computer access) or compromise your
business or reputation? Depending on your country and the country they
are in, what they did was probably illegal (there are still a couple
of countries where it is not, sigh...) but prosecuting them is next
to impossible, even in big cases. If you are just going to try and
get them "thrown off the net", I wouldn't count on it. Most network
providers will just give them a warning. I spend 6 months trying
to deal with an individual at the ISP I get my service from who
has been cronically (we thing deliberately) infected with CodeRed
and Nimda. They are now "filtering" that IP address but he is still
on the net.
I see you are in China. If it's from another Chinese site,
you might have a shot. OTOH... I get a lot of attack attempts from
China and Korea and others in the Pacific basin. Funny how so many
of them, once they break into a system and crank up their IRC
services, seem to speak Romanian or some other Eastern European
language. I didn't know those languages were so popular in
the far east (I'm cracking a joke). I would not be surprised if
you learned that you had been busted into by someone from either
Eastern Europe or some other country outside of the Asia Pacific region.
If you want to play with them and learn something, enjoy. Just be
forwarned that they are already better at this than you are. You
might also need an interpretor. Be extremely careful you don't end
up victimized even further.
> >The reason being someone else seems to have root access on your
> >machine, and may have multiple backdoors that are well concealed, and
> >you many never find them all.
> ????????????????[EMAIL PROTECTED]
> ????????????????????2002-06-02
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
