1 |
On Monday 09 August 2010 21:25:37 Dale wrote: |
2 |
> Robert Bridge wrote: |
3 |
> > On Mon, Aug 9, 2010 at 8:09 PM, Mick<michaelkintzios@×××××.com> wrote: |
4 |
> >> There have been discussions on this list why sudo is a bad idea and sudo |
5 |
> >> on *any* command is an even worse idea. You might as well be running |
6 |
> >> everything as root, right? |
7 |
> > |
8 |
> > sudo normally logs the command executed, and the account which |
9 |
> > executes it, so while not relevant for single user systems, it STILL |
10 |
> > has benefits over running as root. |
11 |
> > |
12 |
> > RobbieAB |
13 |
> |
14 |
> I don't use sudo here but I assume a admin would only know that a nasty |
15 |
> command has been ran well after it was ran? Basically, after the damage |
16 |
> has been done, you can go look at the logs and see the mess some hacker |
17 |
> left behind. For me, that isn't a whole lot of help. You still got |
18 |
> hacked, you still got to reinstall and check to make sure anything you |
19 |
> copy over is not infected. |
20 |
> |
21 |
> Assuming that they can erase dmesg, /var/log/messages and other log |
22 |
> files, whose to say the sudo logs aren't deleted too? Then you still |
23 |
> have no records to look at. |
24 |
> |
25 |
> I agree with the other posters tho, re-install from scratch and re-think |
26 |
> your security setup. |
27 |
|
28 |
That's the problem with any compromise worth its salt, all logs will be |
29 |
tampered to clear traces of interfering with your system. Monitoring network |
30 |
traffic from a healthy machine is a good way to establish suspicious activity |
31 |
on the compromised box and it also helps checking for open ports (nmap, or |
32 |
netcat) to find out what's happening to the compromised box. |
33 |
|
34 |
-- |
35 |
Regards, |
36 |
Mick |