l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2003 Aug 12 07:04

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Password NOT stolen at linuxworld
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Password NOT stolen at linuxworld



Ryan Castellucci said:
[On the topic of system examination/post mortem]
> I would actualy like some help, if anyone is interested.
>
> The machine hasn't been cleaned yet, but as far as I can tell it was
> 0wned quite some time ago, and any logs on the breaking will have
> been rotated into /dev/null

If you have no log files, and the box is still running, and you have
access to mount other filesystem, you can go through proc and copy aps
loaded into memory to files in case processes were started from files that
were deleted.

This helps get you some data. The next step I would do (without logs) is
do md5sums on a few tools like lsof and others and comapre their sigs to
those of untainted systems, and then use lsof to see what ports are opened
by what services, and then find versions for those services and check a
snort db or other places to see if any have knonw/published exploits. This
would permit you to focus your attention upon the services that were
vulnerable. Examination of these for "side effects" of exploit (like odd
permissions to extra files/scripts in specific locations like /dev, /tmp,
/etc.)

Running active scanning IDS like snort would seem like a useful method for
external view of exposure, but some rootkits can contain limits for how
they respond to requests based on src IP address. Local inspection with
pure/untrojaned lsof is often better. (Of course, with lsof being so
useful, agressive computer criminals might trojan this and other tools.)

Many exploits will leave behind scripts designed to elevate local non-root
users to root. Examining the published exploits for results and then
tracking the results on your box may help you with this process.

Again, without log files, you are in a tough position. I'd like to hear
about what you find in your examinations of services, service service
versions and if any services show up as running even though you did not
start them.

There was another tool that was originally published as "The Grave Robbers
Tool Kit" but was published under another name. It was a tool for helping
to perform post mortem on b0rken systems. Dan Farmer of SATAN fame and
Weitise Venma of tcp wrappers, etc fame worked on thisproject ages ago.
Not sure it is is still maintained, and I dont recall the new name it was
given.
Was it "The Coroner's TooKit" ? Hmm I can't recall. GRTK is what they
called it at the demo in New York many years back, and that is the name I
remembered....

You may be able to used GRTK from an external media/disk to decrease lost
data as a result of overwriting "freed" space on your disk.

HTH,
-ME

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.