Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Tom Hosiawa <tomek32@...>, gentoo-security <gentoo-security@g.o>
From: Bill McCarty <bmccarty@...>
Subject: Re: my security faqs?
Date: Mon, 02 Feb 2004 21:25:09 -0800
Hi Tom and all,

--On Monday, February 02, 2004 11:47 PM +0000 Tom Hosiawa 
<tomek32@...> wrote:

> The previous message about his apache machine being hacked brings up a
> question I have. How does one tell they've been hacked from just looking
> at the logs?

As a honeynet operator, I see many compromises. The two must common signs 
of compromise that I've found are:

* Outbound SYNs to odd ports or hosts
* Unexpected modification of sensitive files, especially programs

To detect these signs, I've written simple scripts that scan firewall logs 
for anomalies in near real time. I also use various host-based intrusion 
detection systems, such as Tripwire, Samhain, and AIDE. Monit, which 
monitors a variety of events, can be configured to work as a fairly 
effective host-based IDS that watches sensitive directories for changes.

I don't mean these comments as definitive. They're merely instances of 
measures that are simple to implement, but often effective.

> Which brings me to another question. I've been getting some returned
> mails, that I know I didn't send, saying undeliverable mail to such and
> such (mostly from aol, hotmail, etc). This one particular returned email
> I got on my university account worries me a little more, because it got
> returned from another university mail server, saying the possibility the
> message contained a virus. How do I make sure this isn't coming from one
> of my home computers?

MyDoom is responsible for a mountain of such spoofed messages. But, as you 
suggest, a given message might, or might not, be spoofed. A few SMTP 
servers that reject malware-laden mail and return a reply to the alleged 
sender helpfully provide the original message headers. I scan these for IP 
addresses related to me. Generally, the oldest listed server (furthest down 
the page) is the server of interest, since it's the point of origin. If 
your upstream SMTP server strips incoming headers, this analysis will fail. 
Some wiseguy will eventually write a worm that forges its original server 
as that of the alleged sender. We can hope that won't happen soon <g>.

I hope this helps!

---------------------------------------------------
Bill McCarty

--
gentoo-security@g.o mailing list

References:
my security faqs?
-- Tom Hosiawa
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
my security faqs?
Next by thread:
RealOne Player and RealPlayer 8 vulnerabilities
Previous by date:
my security faqs?
Next by date:
RealOne Player and RealPlayer 8 vulnerabilities


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.