[General] Security Tip #1
Ahmad Al-Ibrahim
ahmad.alibrahim at unitednetworks.com.kw
Thu Dec 28 21:07:42 +03 2006
Salam,
Have you ever got hacked and you would like to know what the hacker did
in your box? The hacker deleted .bash_history and you want to know the
commands he had executed? Or your webserver got cracked because of
insecure PHP or CGI, and you want to know what are the commands executed
in your machine?
Get snoopy to track all execve() calls to syslog (authpriv), you may
consider using remote syslog server.
example of what snoopy is logging:
Dec 28 20:42:00 localhost snoopy[9737]: [speedy, uid:1000 sid:9728]:
uname -s
Dec 28 20:42:00 localhost snoopy[9739]: [speedy, uid:1000 sid:9728]:
uname -r
Dec 28 20:42:00 localhost snoopy[9742]: [speedy, uid:1000 sid:9728]: sed
-ne /^# START exclude/,/^# FINISH e
Dec 28 20:42:04 localhost snoopy[9746]: [speedy, uid:1000 sid:9728]:
bitchx irc.freenode.net
Dec 28 20:58:46 localhost snoopy[10516]: [test, uid:1002 sid:9318]:
nslookup mail.koutbo6.com
Dec 28 20:59:03 localhost snoopy[10532]: [test, uid:1002 sid:9318]: ls
--color=auto -al
Dec 28 20:59:17 localhost snoopy[10544]: [test, uid:1002 sid:9318]: cat
/etc/passwd
Dec 28 20:59:47 localhost snoopy[10569]: [test, uid:1002 sid:9318]: passwd
Hope you find this tip useful for you.
Regards,
Ahmad Al-Ibrahim
More information about the General
mailing list