Quote:
Originally posted by Mr.Fiction
Damn, that's a serious first post.
|
Yup it is and it's spot on. The egress filter is a good option if the
packets are really spoofed. If the attacker is in control of many
different servers then it gets harder as the packets are real
packets and are not being forged.
There are so many bad secured servers on the internet that it's
quite easy to root boxes and gain control while being completely
stealth. LRK, Adore Kernel Plugin, Known exploits make it easy to
install stuff on servers and be completely hidden. Many times the
administrators never notice that their box has been compromised.
They upload new versions of popular system programs like:
ls, netstat, ps, pstree, slocate, traceroute, w, who, cp, mv,
kill, killall, ping, etc, etc which won't list any connections/scripts
that are being used by the hacker. These modified system
programs have the exact same filesize and timestamp as the
original ones that were installed on the server so they are quite
hard to find.
DynaMite