At a talk that Jon "Maddog" Hall gave at MCC, he spoke of a University here in the US that was using a cron job on a Linux box to re-image (using "dd") the hard disks of ALL M$-based systems in the computer center EVERY NIGHT. Of course, within minutes of the re-imaging process I'm sure that the M$ boxen were re-breached and chock full of virii. :) D * On Tue, Sep 26, 2000 at 12:53:39AM -0700, Kevin Brown wrote: > Hmm, I start a job in the CC next monday doing sysadmin work for a small group > of people at ASU. My job is basically to take over that part of their work so > they can devote their time to a program they are writing. Looks like I will be > handling Solaris, BSD, linux, NT and 2000. Security is an issue that I will be > facing and it's not something I've spent much time worrying about. My systems > are behind a cisco router 675 (not that it's very secure, but it does have a > changing external ip). Haven't done much even when the router was in bridging > mode (configured ipchains to only allow forwarding from the internal network if > destination was not on the internal network and to ignore any external requests > that weren't initiated internally) Kinda simplistic, but the box was there just > to do masquerading for my 9 other systems in the house (NT, Win98, Linux, 2000 > server, etc...). > > Without doing an 'rm -rf *' or 'format c:', what are some good sites or utils > for aiding in tightening the hatches on a system (i.e. how-to's, or sites > similar to http://www.securityfocus.com). > > Also I will be working on Automation of the NT systems to make sure they are all > running the same software, anyone have any experience with this or have pointers > for how. I vaguely recall something for the win95 resource kit doing this, damn > wish I hadn't gotten rid of it. > > > We were going to implement a tool at work to monitor 20-30 various nixen > > boxes (DEC, Linux, BSDs [we need more of these ]) using some csh > > scripting, ssh, and rsync, and, tie it into our bb stuff. > > > > I was reading something and came across this link which does almost the same > > task that we want, except with perl. > > http://perl.oreilly.com/news/sysadmin_0800.html > > > > The proggies you mentioned below were on the top of our list to monitor. > > We've got boxes (tier 3...we're not the admins) that get broken into fairly > > often (ASU is a favored target for douche bags, i mean script kiddies). > > Usually it's one break-in and we're the admin or they don't get their ether > > cable back. EG, last week, a tier-3 system was compromised and flooded an > > entire subnet, spiked the router to 100% for a few hours, and pissed off two > > TSAs. > > > > -----Original Message----- > > From: plug-discuss-admin@lists.PLUG.phoenix.az.us > > [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of > > plug@arcticmail.com > > Sent: Monday, September 25, 2000 10:59 PM > > To: plug-discuss@lists.PLUG.phoenix.az.us > > Subject: Re: user tracking > > > > There are also other items in a standard rootkit. > > > > You could spend time checking ls, ps, top, sum, yada > > yada yada, against your pristine versions on read-only > > installation media (after booting into single-user > > mode on pristine read-only trusted media (and ONLY > > running binaries from said media)), but IMHO your best > > bet after a breach/rootkit incident is to take off and > > nuke the site from orbit. It's the only way to be sure. > > > > I'm sure there's a HOWTO on cleaning up your system > > after a rootkit "upgrade." Check Google. > > > > D > > > > * On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote: > > > Thanks for the responses. I never know about the command "last". Very > > > cool. I've already found out most of what I needed. It was some guy over > > > in Russia. Those punks! :-) He left some cool utilz on the hard drive > > > for me though. A login replacement that logs all usernames and passwords > > > and a in.ftpd replacement. That's how he got in in the first place. I > > > was running wu-ftpd 2.5.x... I already know there's tons of documented > > > exploits with that verison. I've just upgraded to wu-ftpd 2.6 so that > > > should slow 'em down a little bit. > > > > > > Don > > > > > > On 26 Sep 2000, Bill Warner wrote: > > > > > > > This information is located in the /etc/shadow file. it is refrenced > > > > in the standard unix time thing (seconds sense jan 1 1970) check > > > > man shadow for more details > > > > > > > > Bill Warner > > > > > > > > > Hey guys. > > > > > At login I get a printout of when the last login occured. Where > > > > > is that info stored? I want to check out a user on the system but > > > > > don't want to log in as them. One of the machines I work with had the > > > > > root account compromised. It's just running a few mushes so it's not > > that > > > > > big of deal but I don't want it happening again. I went through it > > with a > > > > > fine tooth comb and wouldn't mind it if any of you guys tried to whack > > at > > > > > it... Lemme know what you find. The IP is 205.216.140.17 > > > > > > > > > > Don > > > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post > > to the list quickly and you use Netscape to write mail. > > > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss