Something strange in my logs!!!
Njoku, George O.
njokug at winthrop.edu
Tue Jul 24 13:52:15 UTC 2007
Hello Nichola,
This could be tedious but it could help you find out more. It’s a mail server so I wouldn't suggest disabling the NIC (if you do ...it will be great) Then I would do a ...
# find / -ls -printf %AD (will show you files and creation/modified date)
# find / -mtime 5 (will show you files modified 5 days ago)
# find / -atime 5 (will show you files accessed 5 days ago)
# find / -lname "*" ( will show you links....crackers always create links to actual execs)
Of course you can mix up
# find / -lname "*" -mtime 5
-----------tedious manual forensics------------------
Then I would monitor packets leaving and entering that isn't port 25 (your mail)
Both from server then another box which is on Local network.
# tcpdump -v -i <device> port ! 25
See what comes up....check for discrepancies. But mind you, these might just be a false alarm. Maybe software bugs maybe the cause.
Cheers
George
-----Original Message-----
From: listbounce at securityfocus.com [mailto:listbounce at securityfocus.com] On Behalf Of Siim Põder
Sent: Monday, July 23, 2007 3:57 AM
To: nicola mondinelli
Cc: pen-test at securityfocus.com
Subject: Re: Something strange in my logs!!!
Yo.
nicola mondinelli wrote:
> any ideas?
> what can i do to discover something more?
Maybe try the coroners toolkit to look for fishy stuff (firtly i'd
recommend mactime to see which files were touched during that period).
Siim
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
More information about the ubuntu-users
mailing list