Oops, make that “vnconfig” instead of “losetup”. I couldn’t remember the right name.

Again, I don’t think I was pwn3d. My registry is intact, and I don’t see any other signs of tampering with my system.

First of all, from within the system itself it is impossible to be sure if there was a break in. The attacker could have covered his tracks by changing the logs. He could also modify your tools. So he could have changed your registry, but your compromised registry editor won’t tell you. You have to look at the system from the outside with trusted tools, like from a LiveCD.

Second, with Windows there is no way to be sure there was no break in, even when looking from the outside, because the attacker could have modified the logs. The BSDs aren’t vulnerable to this because you can make the logs append-only so that even root can’t modify them (chflags sappnd /var/logs/authlog).

As an experiment just last month I set up OpenBSD on a VM (Qemu), locked it down, and allowed sshing into it. I gave my friend the root password and the IP address of the machine. I told him to log in, compromise the machine, and cover his tracks, then tell me when he was done. I would then try to find evidence.

I first inspected the machine by sshing in myself as root. He did it! Or so it seemed. I checked authlog, which had been locked down with sappnd. No evidence there, which suprised me. I was wondering how he got past the sappnd flag. Then I suspected that he mounted a loopback device over the logs, so I ran “losetup -a”, which also showed nothing.

It turns out that he actually modifed losetup, mount, umount, and many other tools so they would give me false information. My tools weren’t reliable. So I booted the install CD and investigated from the trusted tools on it. The logs were all intact, and I could see everything he did up until he mounted the loopback device over the logs. It was impossible for him to hide.

So always check from the outside.

I recommend using something like DenyHosts, which will limit the number of guesses from a single IP, then ban that IP in hosts.deny. This did exist back then when you wrote this. ;-)

My DenyHosts setup allows only 3 or 4 wrong guesses for any single IP, then adds the IP to hosts.deny. They don’t even have a chance to guess a legitimate username, let alone a password. Root logins are disabled, and it won’t even let you try to guess root because it will ban you instantly for entering root as the user.