HPE Community
Operating System - HP-UX
1834711 Members
2352 Online
110069 Solutions
New Discussion

invader

 
SOLVED
Go to solution
David Shao
Advisor

‎10-10-2002 11:40 PM

‎10-10-2002 11:40 PM

invader

If invader purged my /etc/wtmp file, how can I find the invasion information?
David Shao
0 Kudos
Reply
7 REPLIES 7
Paula J Frazer-Campbell
Honored Contributor

‎10-10-2002 11:44 PM

‎10-10-2002 11:44 PM

Re: invader

Hi

Do you include it in your backup ?

Do you still have a btmp? if so a lastb might help.


A safty option is to ftp copies of critical system files to another machine putting a timestamp on them.


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Michael Tully
Honored Contributor

‎10-11-2002 12:00 AM

‎10-11-2002 12:00 AM

Re: invader

The only way to get these back are from your backup tapes. You can also check your /var/adm/sulog and the /var/adm/syslog/syslog.log file for all instances for switching to other user accounts.

One of the first things to do is change the 'root' password of all of your systems, and implement a far more strintgent use of 'super' user privileges, like 'sudo'.

As suggested by Paula, you can also copy critical files to another system. There are a number of methods that can be used to on a regular basis to check these files, 'swverify' and shell scripts are a good example.
Anyone for a Mutiny ?
0 Kudos
Reply
David Shao
Advisor

‎10-11-2002 12:31 AM

‎10-11-2002 12:31 AM

Re: invader

There are no other method to find the information of the invader?
As we all know, invaders could purge the btmp file and sulog file after purged the wtmp file, so how can I find where the invader from?
David Shao
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎10-11-2002 12:47 AM

‎10-11-2002 12:47 AM

Re: invader

David

Also have a look in your firewall logs.

Look at all .sh_history and all other logs - mail log sam log etc.


Check ftp.allow and cron.allow for extra entries and also check every cron and at job on the system.


HTH

Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Wodisch
Honored Contributor

‎10-11-2002 01:47 AM

‎10-11-2002 01:47 AM

Solution

Re: invader

Hi David,

if your invader was *good* enough then you will not find clues on the compromised system itself. Maybe you can find some hints on the firewalls/routers leading to it...
Sorry to say, but reinstall your system from scratch (you cannot turst a single file on it any more), restore data from a trustworthy backup (mad before the system was compromised), install "IPFilter/9000" and configure it, use the "Bastion Host" script to check against other possibleholes, install the recent security patches, disable TELNET/RLOGIN/REMSH/FTP and such, use OpenSSH instead.

And that's just the beginning :-(

FWIW,
Wodisch
Reply
Paula J Frazer-Campbell
Honored Contributor

‎10-11-2002 02:19 AM

‎10-11-2002 02:19 AM

Re: invader

David

Bastion doc here:-

http://people.hp.se/stevesk/bastion11.html


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Sorrel G. Jakins
Valued Contributor

‎10-12-2002 07:42 PM

‎10-12-2002 07:42 PM

Re: invader

Get educated on security here:
http://www.sans.org
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.