How do I know if I am being hacked[violated]?

What to look for in /var/log/messages?
Box is PII 400Mhz RH8.0, rhn'd up2date'd.

On Tue, 02 Sep 2003 22:21:54 -0500, root-n-toot-n wrote:
> What to look for in /var/log/messages?

Ha, ha, ha. A good crack would not show anything.

Look here
http://groups.google.com/advanced_group_search

google_tag_cracked_4_next_time in the first box
alt.os.linux in the Newsgroup box, pick English

[ snort ]

Thanx NJ BT, I'm clean...

On Wed, 03 Sep 2003 11:42:53 GMT, Bit Twister <(E-Mail Removed)> wrote:
>
>
> On Tue, 02 Sep 2003 22:21:54 -0500, root-n-toot-n wrote:
>> What to look for in /var/log/messages?
>
> Ha, ha, ha. A good crack would not show anything.
>
> Look here
> http://groups.google.com/advanced_group_search
>
> google_tag_cracked_4_next_time in the first box
> alt.os.linux in the Newsgroup box, pick English
>
>


If you run a packet sniffer on the interface and run a grep loop on the
output to notify you of unusual packets, then you can catch them.

I've caught several, and immediately did a harsh nmap on the IP they were
using (got it scripted) and they ran like dogs with a 500 pound cat on
their tails....

ALWAYS run a packet sniffer when you are on the Internet.


Alan C


--

take control of your mailbox ----- elrav1 ----- http://tinyurl.com/l55a

On Thu, 04 Sep 2003 03:38:44 GMT, Alan Connor wrote:

> I've caught several, and immediately did a harsh nmap on the IP they were
> using (got it scripted) and they ran like dogs with a 500 pound cat on
> their tails....

Yeah that is real smart.

Cracker uses a zombie machine, you hit him with nmap. Cracker shoots
the logs to isp cleans out his tracks and you loose.

Just a few state selections.

http://www.capitol.state.tx.us/statu...ml#pe001.33.01
Read 33.01. Definition (1) "Access"
33.02. Breach of Computer Security (a)

http://www.umpqua.cc.or.us/policy/oregon-law.htm
Read 1 (a) then (4)

On Thu, 04 Sep 2003 03:49:49 GMT, Bit Twister <(E-Mail Removed)> wrote:
>
>
> On Thu, 04 Sep 2003 03:38:44 GMT, Alan Connor wrote:
>
>> I've caught several, and immediately did a harsh nmap on the IP they were
>> using (got it scripted) and they ran like dogs with a 500 pound cat on
>> their tails....
>
> Yeah that is real smart.
>
> Cracker uses a zombie machine, you hit him with nmap. Cracker shoots
> the logs to isp cleans out his tracks and you loose.
>

I don't see why you call that "losing".

To ME winning is protecting my machine. I'm not into tracking anyone
down and punishing them.

My approach IS real smart.

And I will keep using it because it WORKS.



> Just a few state selections.
>
> http://www.capitol.state.tx.us/statu...ml#pe001.33.01
> Read 33.01. Definition (1) "Access"
> 33.02. Breach of Computer Security (a)
>
> http://www.umpqua.cc.or.us/policy/oregon-law.htm
> Read 1 (a) then (4)


I don't give a fuck about any statutes anywhere.


I do what I need to do to protect my machine.


And no, I do not run the nmap from a machine that is even on this continent.

You have heard, I trust, of shell accounts run by email sent via a series
of anonymous forwarders with the initial mail being sent via a telnet
connection to an open smtp server?


Oh yes, you certainly have. Or am I 'mixed' up? :-)



Alan C


--

take control of your mailbox ----- elrav1 ----- http://tinyurl.com/l55a

Alan Connor graced us by uttering:
> Bit Twister <(E-Mail Removed)> wrote:
>> Just a few state selections.
<snip>
>> http://www.umpqua.cc.or.us/policy/oregon-law.htm
>> Read 1 (a) then (4)
>
> I don't give a fuck about any statutes anywhere.
>
> I do what I need to do to protect my machine.

With all due respect, this law has "adversely affected" someone
clpm is quite familiar with.

http://www.lightlink.com/spacenka/fors/jeffrey/ovs/

It's especially worth noting that the Oregon Computer Crime Law
*does not require evidence* and that it is a *felony*. See below
for why this still should matter to you.

> And no, I do not run the nmap from a machine that is even on
> this continent.

"This" as opposed to "that", but what is your reference
continent? Or do all linux users live on one continent?

More importantly, though, is where *YOU* are and where the
*VICTIM* is.

> You have heard, I trust, of shell accounts run by email sent
> via a series of anonymous forwarders with the initial mail
> being sent via a telnet connection to an open smtp server?

Whatever derivative method you use, be careful that (a) you
are not violating laws in the victim's jurisdiction, (b) that
you are not violating any laws in YOUR jurisdiction (where you
are), and (c) you are not violating any laws in the jurisdiction
in which the above machine operates. Laws in any jurisdictions
through which the nmap scan pass may also apply.

You're free to talk as big as you like on Usenet, but I'd really
rather not hear about another acquaintance being convicted of a
felony. Intel made an example of Randal with Oregon's help. If
crackers compromise a high-profile server and twist it to their
ends, as they did <http://www.gnu.org/>, there's no telling who's
machine you might assault, thinking it's the crackers'.

Tim Hammerquist
--
Intelligence has much less practical application than you'd think.
-- Scott Adams

On 4 Sep 2003 00:30:31 -0700, Tim Hammerquist <(E-Mail Removed)> wrote:
>
>
> Alan Connor graced us by uttering:
>> Bit Twister <(E-Mail Removed)> wrote:
>>> Just a few state selections.
><snip>
>>> http://www.umpqua.cc.or.us/policy/oregon-law.htm
>>> Read 1 (a) then (4)
>>
>> I don't give a fuck about any statutes anywhere.
>>
>> I do what I need to do to protect my machine.
>
> With all due respect, this law has "adversely affected" someone
> clpm is quite familiar with.
>
> http://www.lightlink.com/spacenka/fors/jeffrey/ovs/
>
> It's especially worth noting that the Oregon Computer Crime Law
> *does not require evidence* and that it is a *felony*. See below
> for why this still should matter to you.
>
>> And no, I do not run the nmap from a machine that is even on
>> this continent.
>
> "This" as opposed to "that", but what is your reference
> continent? Or do all linux users live on one continent?
>
> More importantly, though, is where *YOU* are and where the
> *VICTIM* is.
>
>> You have heard, I trust, of shell accounts run by email sent
>> via a series of anonymous forwarders with the initial mail
>> being sent via a telnet connection to an open smtp server?
>
> Whatever derivative method you use, be careful that (a) you
> are not violating laws in the victim's jurisdiction, (b) that
> you are not violating any laws in YOUR jurisdiction (where you
> are), and (c) you are not violating any laws in the jurisdiction
> in which the above machine operates. Laws in any jurisdictions
> through which the nmap scan pass may also apply.
>
> You're free to talk as big as you like on Usenet, but I'd really
> rather not hear about another acquaintance being convicted of a
> felony. Intel made an example of Randal with Oregon's help. If
> crackers compromise a high-profile server and twist it to their
> ends, as they did <http://www.gnu.org/>, there's no telling who's
> machine you might assault, thinking it's the crackers'.
>
> Tim Hammerquist


Well Tim, I think it's pretty funny that you refer to someone who is
trying to crack my machine as a victim.

And trying to blame ME for sloppy security on some other machine.
No one uses MY network for anything like that, and it is MY responsibility
to see that it doesn't happen.

And you seem to think that nmapping harms a computer, which it doesn't.


I am not "talking big" at all. This is all very simple and practical.


And if someone tries to bust my box they get hammered.

Period. And the program I use is not actually nmap, but a much more
serious cousin of its.

(Note that I do run a whois on the IP, first, to make sure there isn't
some legitimate activity going on, say, on the part of one of my ISPs.)

Your opinion in this matter means nothing to me at all.


Run your own machine. *I* run mine.

I do wonder where all these egomaniacs come from that think they have
a right to tell a person how to live.


They are a source of never-ending amusement to me.


As are most fools.


Alan C


--

take control of your mailbox ----- elrav1 ----- http://tinyurl.com/l55a

On Thu, 04 Sep 2003 07:52:16 GMT, Alan Connor <(E-Mail Removed)> wrote:
>
>
> On 4 Sep 2003 00:30:31 -0700, Tim Hammerquist <(E-Mail Removed)> wrote:
>


Just a note here for the benefit of any newbies that might have taken
Tim's absurd article seriously:

nmap is a port MAPPER. It maps ports. It doesn't hurt anything.

I have verified this numerous times on my own box, and those belonging to
friends.


If some cracker was using someone else's server to do his/her dastardly
work from, then a blatant nmapping would do nothing but alert the owners
of that server that something was wrong.

You would be doing them a FAVOR.


Alan C


--

take control of your mailbox ----- elrav1 ----- http://tinyurl.com/l55a

Alan Connor <(E-Mail Removed)> wrote:
> nmap is a port MAPPER. It maps ports. It doesn't hurt anything.

Alan is, of course, right.

But in these paranoid times, you might get someone at your ISP paying
attention to you if you get a complaint. I never have, despite using
it when curious about people I find scanning me in my firewall logs.

If you have nmap at work though, get permission to use it first. Your
first indication that it's not welcome might be when your networking
team shuts of your ethernet jack! :-)

In the factory I work at, many of the automated testers and some of
the junkier printers that are 'net aware freeze up when they are
port-scanned. When the automated testers freeze up, it shuts down
production lines and costs lots of money.

Port scanning is forbidden by anyone outside of IT, and we never scan
entire network segments, just single machines, because of this.

They may also forbid it out of general paranoia.

--
Jim Buchanan (E-Mail Removed) (E-Mail Removed)
=================== http://www.buchanan1.net/ ==========================
"Manic depression, what a frustrating mess" -Jimmy Hendrix
================= Visit: http://www.thehungersite.com ==================