[NCLUG] Securing ftpd
Matt Pujol
mattp at lsil.com
Tue Mar 20 15:41:10 MST 2001
-----Original Message-----
From: nclug-admin at nclug.org [mailto:nclug-admin at nclug.org]On Behalf Of
Michael Dwyer
Sent: Tuesday, March 20, 2001 3:21 PM
To: nclug at nclug.org
Subject: Re: [NCLUG] Securing ftpd
----- Original Message -----
From: "dobbster" <dobbster at dobbster.com>
To: <nclug at nclug.org>
Sent: Tuesday, March 20, 2001 1:39 PM
Subject: Re: [NCLUG] Securing ftpd
> For that matter, (I know this has been discussed before) is there an
> obvious way to tell if they have succeeded? 'ls' and other commands
> still seem intact.
Run nmap (www.insecure.org) against your own machine. Look for
mysterious ports open.
When I've been hacked, they've left footprints in /var/log/messages. One
thing they do is create a user account called cgi. Also, pay close
attention to ls -alg. They like to hide their "stuff" in directories named
".. " or similar. While they may leave ls alone, they usually hack ps to
hide what they run. One other thing I noticed is on shutdown my ethernet
card reported being in "promiscuous mode". That's a dead giveaway.
Happy securing!
Matt
_______________________________________________
NCLUG mailing list
NCLUG at nclug.org
http://www.nclug.org/mailman/listinfo/nclug
More information about the NCLUG
mailing list