Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux - Indicators of compromise

From: Gary Baribault <gary () baribault net>
Date: Mon, 16 Jul 2012 09:48:05 -0400
I suggest one of the first answers was the good one, intercept the
traffic routed to the internet with TCPDump. Filter out the normal
traffic and see what's left. All compromised systems talk to the
Internet to dump data or route spam. Be patient, some systems talk all
the time, some once an hour .. but you will find some unexplained
traffic. Once you do find that you're infected, don't bother cleaning up
the system, format and restore the data!

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 07/16/2012 09:40 AM, valdis.kletnieks () vt edu wrote:

On Sat, 14 Jul 2012 12:46:50 -0000, "Ali Varshovi " said:

Most of the materials I've seen are more aligned to malware and rootkit
detection which is not the only concern apparently.

It's hard to say what else to check without knowing what other concerns
you're checking for, and what data sources are available (I'm thinking about
auditd and friends, but there's other data sources as well).


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: