Security Basics mailing list archives
Re: tools to run on compromised linux box
From: Erin Carroll <amoeba () amoebazone com>
Date: Wed, 6 Aug 2008 19:20:37 +0000 (UTC)
I agree with Adriel on scenario #1 but would add to it. If this is an existing compromised machine, dd the disk to do offline forensics and wipe & re-install the machine.
Though you'll lose anything in memory, you should hopefully be able to get an idea of the scope of the compromise from forensics on the disk image and, more importantly, the vector used to compromise. If you have a weakness in your security model or systems you want to know where so you can address/patch it on other systems which may share the same weakness.
The reason people are recommending using a LiveCD like Backtrack3 for forensics is because you cannot trust any of the data or binaries on the compromised server. One very common rootkit tactic is to replace or modify commands (like ps, ls, du, ssh, etc) with trojaned copies that hide rootkit processes or collect & forward password, financial, or other data. A good example is the old T0rn rootkit. Check out http://www.securityfocus.com/infocus/1230. I ran into this one on a client machine back in 2001. Fortunately it was easy to detect... a RH-oriented rootkit installed on a Solaris OS = Script kiddie FAIL. :)
-- Erin Carroll Moderator, SecurityFocus pen-test mailing list "Do Not Taunt Happy-Fun Ball" On Wed, 6 Aug 2008, Adriel Desautels wrote:
Lister,Are you doing this for a system that was compromised and is running on your network or are you doing this for your own edification?If you are asking this question for the first reason, then you should just re-install the system. Once a computer system has been compromised the integrity of its software can not guaranteed and as such can not be trusted to be safe. Its a waste of time and resources to try to "clean" the system, its much more simple (in most cases) to just reinstall.If you are asking for your own edification and if this is for research then there are many forensic tools that you can use. Check the sleuth kit for a good free one. If you want to pay for a commercial tool then check encase (but its expensive and if you don't have the experience then don't waste your money). There are many and Google is your friend.Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn lister () lihim org wrote:Can anyone recommend some tools to run on a compromised linux box to determine if there is further infestation? (rootkits, etc).
Current thread:
- tools to run on compromised linux box lister (Aug 06)
- Re: tools to run on compromised linux box Sukbum Hong (Aug 06)
- Re: tools to run on compromised linux box Nikhil Wagholikar (Aug 06)
- RE: tools to run on compromised linux box Murda Mcloud (Aug 06)
- Re: tools to run on compromised linux box Ansgar -59cobalt- Wiechers (Aug 07)
- RE: tools to run on compromised linux box Murda Mcloud (Aug 07)
- RE: tools to run on compromised linux box Murda Mcloud (Aug 06)
- Re: tools to run on compromised linux box Adriel Desautels (Aug 06)
- Re: tools to run on compromised linux box Erin Carroll (Aug 06)
- Re: tools to run on compromised linux box linux.gheek (Aug 06)
- <Possible follow-ups>
- Re: tools to run on compromised linux box jason . gerfen (Aug 06)