Security Incidents mailing list archives
Re: rpc.statd exploit?
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Sat, 19 Aug 2000 13:48:30 -0700
On Fri, 18 Aug 2000, azimuth wrote:
If you do file integrity checks with Tripwire or similar software, go over your suspect system looking for changes.
Even if you do, they may add things that tripwire isn't checking for. A better way is to use the grave-robber/mactime programs found in Weitse Venema/Dan Farmer's The Coroner's Toolkit. I have a write-up on the steps (feedback from anyone welcome): http://staff.washington.edu/dittrich/misc/forensics/ http://staff.washington.edu/dittrich/talks/blackhat/ -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- rpc.statd exploit? Dave (Aug 18)
- Re: rpc.statd exploit? azimuth (Aug 18)
- Re: rpc.statd exploit? Dave Dittrich (Aug 21)
- <Possible follow-ups>
- Re: rpc.statd exploit? Fernando Cardoso (Aug 18)
- Re: rpc.statd exploit? azimuth (Aug 18)