[General] Security Tip #1

Bashar Al-Abdulhadi bashar at kuwaitnet.net
Fri Dec 29 00:07:58 +03 2006 

Thanks Ahmad for the useful info :)


for references:

http://sourceforge.net/projects/snoopy/


and for debian geeks http://www.debian-administration.org/articles/88 ;)


Ahmad Al-Ibrahim wrote:

> Salam,
>
> Have you ever got hacked and you would like to know what the hacker did
> in your box? The hacker deleted .bash_history and you want to know the
> commands he had executed? Or your webserver got cracked because of
> insecure PHP or CGI, and you want to know what are the commands executed
> in your machine?
>
> Get snoopy to track all execve() calls to syslog (authpriv), you may
> consider using remote syslog server.
>
> example of what snoopy is logging:
> Dec 28 20:42:00 localhost snoopy[9737]: [speedy, uid:1000 sid:9728]:
> uname -s
> Dec 28 20:42:00 localhost snoopy[9739]: [speedy, uid:1000 sid:9728]:
> uname -r
> Dec 28 20:42:00 localhost snoopy[9742]: [speedy, uid:1000 sid:9728]: sed
> -ne /^# START exclude/,/^# FINISH e
> Dec 28 20:42:04 localhost snoopy[9746]: [speedy, uid:1000 sid:9728]:
> bitchx irc.freenode.net
> Dec 28 20:58:46 localhost snoopy[10516]: [test, uid:1002 sid:9318]:
> nslookup mail.koutbo6.com
> Dec 28 20:59:03 localhost snoopy[10532]: [test, uid:1002 sid:9318]: ls
> --color=auto -al
> Dec 28 20:59:17 localhost snoopy[10544]: [test, uid:1002 sid:9318]: cat
> /etc/passwd
> Dec 28 20:59:47 localhost snoopy[10569]: [test, uid:1002 sid:9318]: passwd
>
>
> Hope you find this tip useful for you.
>
> Regards,
>
> Ahmad Al-Ibrahim
>
> _______________________________________________
> General mailing list
> General at oskw.org
> http://mail.oskw.org/mailman/listinfo/general_oskw.org
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oskw.org/pipermail/general_oskw.org/attachments/20061229/1d87e8dd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3249 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://oskw.org/pipermail/general_oskw.org/attachments/20061229/1d87e8dd/attachment.bin>

More information about the General mailing list