From owner-freebsd-security Thu Dec 2 3:48: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 6677914FF0 for ; Thu, 2 Dec 1999 03:48:02 -0800 (PST) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 11tUhY-0003gZ-00; Thu, 02 Dec 1999 11:47:08 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 11tUha-0003Bv-00; Thu, 2 Dec 1999 11:47:10 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Jason Hudgins Cc: security@freebsd.org Subject: Re: logging a telnet session In-reply-to: Your message of "Wed, 01 Dec 1999 13:40:53 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Dec 1999 11:47:09 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The original message/request did not state if the machine in question had actually been compromised, or if only the specific user account had been compromised (for example by the password being obtained by sniffing, burglary, carelesness, or coersion). Certainly the people who suggest logging from another machine are correct if the machine as a whole (or the root account) has been compromised. You can't rely on *anything* from a machine that badly compromised. If, however, only the account has been compromised, the question as posed is valid (and the culprit could still be described as an intruder). "Crackers" habitually use compromised accounts to "hop" from one machine to another to make tracing them more dificult and do not always obtain system manager rights on such machines. It is probably desirable to watch the traffic and notify the managers of any other machines shown to be compromised. It might be possible to start the "watch" session from the system startup scripts. If you *are* using "tcpdump" in any way, there's a very good tool (in Perl) for analysing the dump files and showing individual sessions extracted from the dump. It's called "review": ftp://coast.cs.purdue.edu/pub/tools/unix/review/ and (amongst other things) will "play back" a telnet session in an xterm window so you can watch it complete with control character sequences being interpreted as ANSI actions. So a "tcpdump" trace taken on either your main (if trusted!) or an external machine can be looked at reasonably to see what your intruder is doing. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message