On Fri, 22 Jun 2001, Benoy George spewed into the ether:
Hi Everybody somebody sniffed our local network!
huh? Someone else had root on at least one of your machines?
that automatically generated mail on our RH 6.1 server (posted earlier) was generated by linsniffer only. I found the same mail generated to another address max_003_2000@yahoo.com with subject "F the rwetter" he replaced the netstat,ifconfig,top,ps to some older version created on Sep 26 1983.
Looks like a standard rootkit. Dates can be changed, there are programs available to do that,'
chor is here n /dev/ida/.inet
You mean cracker
ls -l /dev/ida/.inet
<snip rootkit detauls>
how can I find more details like who is this sniffer and when he enter in to our m/c?
How much damage did you do to the machine? If you haven't messed around much, make a bitwise backup of the machine to a clean hard disk( by clean I mean run dd if=/dev/zero of=/dev/hd<whatever> bs=512
Then after you have a backup of the disk, make a copy to do your research on. Look in the archives of the incidents list at http://securityfocus.com to see if someone has got hit by the rootkit before. Run strings on the second copy of the image to see details. You should be able to see erased logs, and such details (if it is not too late).
Any way I am very happy to learn about all these things. thankyou linsniffer. As a layman this is good experience for me.
http://securityfocus.com. Quite a few good security lists there
waiting for more comments on security issues, hacking and cracking...
BTWm rebuild that compromised machine, install all patches, and then install tripwire. Replace Bind by DJBDNS, Sendmail by Postfix or Qmail (simply because sendmail is too complex). [Note: Do *not* install any software that you do not run, what is not installed cannot be compromised]
Devdas Bhagat -- The difference between reality and unreality is that reality has so little to recommend it. -- Allan Sherman