[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

Pull the hard drives out and put htem on a shelf.  Rebuild off new
drives so you can do a post-mortem.  Then when you can image the hard
drives and mount the images loopback, read only so you don't accidently 
modify them or run something in $PATH.  Now you can use "find" to find
the directories you're looking for as well as some other tools.  You can
also look at:

<a  rel="nofollow" href="http://odessa.sourceforge.net/";>http://odessa.sourceforge.net/</a>
<a  rel="nofollow" href="http://www.sleuthkit.org/sleuthkit/desc.php";>http://www.sleuthkit.org/sleuthkit/desc.php</a>

Both are good forensics tools.




Thus spake Nick Travis (wormfishin at gmail.com):

&gt; We have a system at work that has been comprimised.  It looks like
&gt; they got in and used several different executable files, I've got the
&gt; command history however I don't think it is complete.  For example I
&gt; see that direcotories were created, but I never saw that they were
&gt; removed and I can't find them.  It looks like about 5 ftp sites were
&gt; hit and there was about 3 wget commands to pull down files.  Also
&gt; apache was downloaded and installed, even though it was already
&gt; running on the system.  So here's my question, I know that rebuilding
&gt; the system is the only way to be sure that there is nothing else
&gt; hidden on it, but that's not an option at this point.  Are there any
&gt; good HowTo's or books out there that can give me some direction on how
&gt; to check they system for irregularites?  This is the first time I've
&gt; dealt with this so I would like to learn as much as I can about it,
&gt; I've already determined how they got in.  A user made thier password
&gt; the same as thier login name, which obviously is no longer allowed. 
&gt; BTW the system is running Red Hat 7.3.
&gt; 
&gt; Nick
&gt; _______________________________________________
&gt; Ale mailing list
&gt; Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>

:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00362" href="msg00362.html">[ale] Comprimised System</a></strong>
<ul><li><em>From:</em> wormfishin at gmail.com (Nick Travis)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00365.html">[ale] Dual Adaptec 2200S Card on Redhat ES 3.0 x86_64</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00367.html">[ale] Comprimised System</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00362.html">[ale] Comprimised System</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00367.html">[ale] Comprimised System</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00366"><strong>Date</strong></a></li>
<li><a href="threads.html#00366"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>