Date: Thu, 02 Dec 1999 11:47:09 +0000 From: David Pick <D.M.Pick@qmw.ac.uk> To: Jason Hudgins <thanatos@incantations.net> Cc: security@freebsd.org Subject: Re: logging a telnet session Message-ID: <E11tUha-0003Bv-00@xi.css.qmw.ac.uk> In-Reply-To: Your message of "Wed, 01 Dec 1999 13:40:53 CST." <Pine.BSF.4.10.9912011334310.27776-100000@eddie.incantations.net>
next in thread | previous in thread | raw e-mail | index | archive | help
The original message/request did not state if the machine in question had actually been compromised, or if only the specific user account had been compromised (for example by the password being obtained by sniffing, burglary, carelesness, or coersion). Certainly the people who suggest logging from another machine are correct if the machine as a whole (or the root account) has been compromised. You can't rely on *anything* from a machine that badly compromised. If, however, only the account has been compromised, the question as posed is valid (and the culprit could still be described as an intruder). "Crackers" habitually use compromised accounts to "hop" from one machine to another to make tracing them more dificult and do not always obtain system manager rights on such machines. It is probably desirable to watch the traffic and notify the managers of any other machines shown to be compromised. It might be possible to start the "watch" session from the system startup scripts. If you *are* using "tcpdump" in any way, there's a very good tool (in Perl) for analysing the dump files and showing individual sessions extracted from the dump. It's called "review": ftp://coast.cs.purdue.edu/pub/tools/unix/review/ and (amongst other things) will "play back" a telnet session in an xterm window so you can watch it complete with control character sequences being interpreted as ANSI actions. So a "tcpdump" trace taken on either your main (if trusted!) or an external machine can be looked at reasonably to see what your intruder is doing. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E11tUha-0003Bv-00>