Posted Dec 11, 2003 3:39 UTC (Thu) by sweikart
Parent article: Lessons from the Debian compromise
> Another crack imperfection was that it generated strange messages
> in the log files which led to the attack's discovery. It turns out
> that one of the system administrators became uneasy as he was
> looking through the log files of one of his machines.
Note that a simple log checking program might have resulted in
much quicker detection.
Unless the attacker was clever enough to disable outgoing mail
(and then clean the logs). Then you would need remote logging (as
available with syslog-ng), with the log checker running on the
logging server (and the logging server needs to be the most secure
server, e.g. only accessible to a few individuals who run very
to post comments)