Discussion:
can hackers fudge my ppp-trace ?
(too old to reply)
n***@gmail.com
2010-12-06 04:38:02 UTC
Permalink
Sorry, my previous post had a wrong 'Subject'.

By listening and watching my dialup modem, I get a good
idea of the traffis flow.
So when I only had called 2 normally low volume fetches,
and the modem-LEDs had been pumping furiously for a
long time, I suspected that someone was READING from me.
So I just cut-the-modem, and saw:-
----
Dec 5 11:21:24 localhost pppd[4114]: Modem hangup
Dec 5 11:21:24 localhost pppd[4114]: Connection terminated.
Dec 5 11:21:24 localhost pppd[4114]: Connect time 3.0 minutes.
Dec 5 11:21:24 localhost pppd[4114]: Sent 35953 bytes, received 279940 bytes.
Dec 5 11:21:24 localhost pppd[4114]: Exit.
---
OK the sent is only about 15% of the received, so most of the traffic was received.
But just in principle: if a hacker was 'reading' my contents, MUST this show
in the ppp-trace like above.

=== TIA
R.L. Horn
2010-12-06 16:57:45 UTC
Permalink
Post by n***@gmail.com
By listening and watching my dialup modem, I get a good
idea of the traffis flow.
So when I only had called 2 normally low volume fetches,
and the modem-LEDs had been pumping furiously for a
long time, I suspected that someone was READING from me.
Some of the attacks can be pretty aggressive. Mostly I see protocol-based
(telnet, ssh, http, smtp, etc.) and ICMP attacks. Lots and lots of incoming
packets, but mainly troublesome from a DoS perspective provided your system
is reasonably secure.
Post by n***@gmail.com
Dec 5 11:21:24 localhost pppd[4114]: Sent 35953 bytes, received 279940 bytes.
But just in principle: if a hacker was 'reading' my contents, MUST this
show in the ppp-trace like above.
All ppp traffic will be reflected in the log, but a pppd log isn't very
informative. All I can gather from this is that the attacker probably
wasn't particularly successful.
n***@gmail.com
2010-12-08 09:10:24 UTC
Permalink
Post by R.L. Horn
Post by n***@gmail.com
By listening and watching my dialup modem, I get a good
idea of the traffis flow.
So when I only had called 2 normally low volume fetches,
and the modem-LEDs had been pumping furiously for a
long time, I suspected that someone was READING from me.
Some of the attacks can be pretty aggressive. Mostly I see protocol-based
(telnet, ssh, http, smtp, etc.) and ICMP attacks. Lots and lots of incoming
packets, but mainly troublesome from a DoS perspective provided your system
is reasonably secure.
Can these protocols get in other than via ppp, when I'm dialed in via ppp ?
Post by R.L. Horn
Post by n***@gmail.com
Dec 5 11:21:24 localhost pppd[4114]: Sent 35953 bytes, received 279940 bytes.
But just in principle: if a hacker was 'reading' my contents, MUST this
show in the ppp-trace like above.
All ppp traffic will be reflected in the log, but a pppd log isn't very
informative. All I can gather from this is that the attacker probably
wasn't particularly successful.
IMO only routine [office clerk] jobs can be handled as non-root.
I've got to have the 'engine compartment open' all the time,
to handle new situations.

Is it sufficient if ONLY the VT which dials and calls ppp is non-root?
But then perhaps it can't give the stream to eg. 'lynx <URL>`.
Running as non-root is like tying your shoe laces wearing
boxing-gloves.

Loading...