RE: tools to run on compromised linux box

["Murda Mcloud" <murdamcloud () bigpond com>]

Hi Lister-lots of great ideas already. I'll add my two Aussie cents in(which
are almost worth two US cents).

Nikhil's suggestion of booting to another OS to do the investigation is an
important choice-otherwise you run the risk of further infection or
destroying potential evidence by writing over files that could be recovered.

Another suggestion would be to image the compromised box. Then you can take
your time. Adepto on the Helix cd is great for this kind of op.

My feeling is that working out how the compromise took place is very
important because I've seen boxes get rinsed and reloaded then put back into
production only to be re-infected. Why? Because we didn't know what had
caused the infection in the first place. And if you have an SOE then it
could be game over for your network. Obviously, time/money etc come into
play here.

Sometimes, it may even be an idea to leave the box live and running if you
want to try and 'follow' the trail. But this has a certain amount of risk
attached to it. 
Maybe you could dump the physical memory and see what was there before you
kill the box.

Good luck.

> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of Nikhil Wagholikar
> > Sent: Thursday, August 07, 2008 12:17 AM
> > To: security-basics () securityfocus com
> > Subject: Re: tools to run on compromised linux box
> >
> > Hi Lister,
> >
> > Since the Linux machine is already compromised, its recommended to
> > boot into an alternate operating system and start investigating the
> > compromised system. There are many Bootable Forensics CDs out in
> > market one of the popular out of them is HELIX.
> >
> > Besides this, NII Consulting has developed a open source tool named
> > 'LINReS', which is used to perform Live incident response of a
> > compromised Linux machine. LINReS is basically a software/tool in
> > which all the useful Linux commands (such as netstat, netcat, lsof,
> > dir, ls, ps etc) are statically compiled and packed in an archive.
> > Hence an Forensic investigator can easily relay on LINReS, since you
> > may never know, if the commands/binaries of the compromised Linux
> > machines are replaced by hacker i.e. root kitted.
> >
> > More Information:
> >
> > Helix: http://www.e-fense.com/helix/downloads.php
> >
> > LINReS: http://www.niiconsulting.com/innovation/linres.html
> >
> > Best of Luck !!
> >
> > ---
> > Nikhil Wagholikar
> > Practice Lead | Security Assessment
> > NII Consulting
> > Web: http://www.niiconsulting.com/
> > Security Products: http://www.niiconsulting.com/products.html
> >
> >
> >
> > On Wed, Aug 6, 2008 at 5:20 AM, <lister () lihim org> wrote:
> > > Can anyone recommend some tools to run on a compromised linux
> > > box to determine if there is further infestation? (rootkits, etc).