Full Disclosure mailing list archives
Re: Linux - Indicators of compromise
From: Benji <me () b3nji com>
Date: Mon, 16 Jul 2012 14:55:11 +0100
" All compromised systems talk to the Internet to dump data or route spam." yup, this is 1000% true and utterly foolproof. On Mon, Jul 16, 2012 at 2:48 PM, Gary Baribault <gary () baribault net> wrote:
I suggest one of the first answers was the good one, intercept the traffic routed to the internet with TCPDump. Filter out the normal traffic and see what's left. All compromised systems talk to the Internet to dump data or route spam. Be patient, some systems talk all the time, some once an hour .. but you will find some unexplained traffic. Once you do find that you're infected, don't bother cleaning up the system, format and restore the data! Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 07/16/2012 09:40 AM, valdis.kletnieks () vt edu wrote: On Sat, 14 Jul 2012 12:46:50 -0000, "Ali Varshovi " said: Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. It's hard to say what else to check without knowing what other concerns you're checking for, and what data sources are available (I'm thinking about auditd and friends, but there's other data sources as well). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux - Indicators of compromise Ali Varshovi (Jul 16)
- Re: Linux - Indicators of compromise Michael Stummvoll (Jul 16)
- Re: Linux - Indicators of compromise valdis . kletnieks (Jul 16)
- Re: Linux - Indicators of compromise Gary Baribault (Jul 16)
- Re: Linux - Indicators of compromise Benji (Jul 16)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 17)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 17)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 19)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 18)
- Message not available
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 18)
- Re: Linux - Indicators of compromise Leutnant Steiner (Jul 20)
- Re: Linux - Indicators of compromise Gary Baribault (Jul 16)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 25)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 25)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 26)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 26)