Security Basics mailing list archives
RE: tools to run on compromised linux box
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Thu, 7 Aug 2008 06:31:55 +1000
Hi Lister-lots of great ideas already. I'll add my two Aussie cents in(which are almost worth two US cents). Nikhil's suggestion of booting to another OS to do the investigation is an important choice-otherwise you run the risk of further infection or destroying potential evidence by writing over files that could be recovered. Another suggestion would be to image the compromised box. Then you can take your time. Adepto on the Helix cd is great for this kind of op. My feeling is that working out how the compromise took place is very important because I've seen boxes get rinsed and reloaded then put back into production only to be re-infected. Why? Because we didn't know what had caused the infection in the first place. And if you have an SOE then it could be game over for your network. Obviously, time/money etc come into play here. Sometimes, it may even be an idea to leave the box live and running if you want to try and 'follow' the trail. But this has a certain amount of risk attached to it. Maybe you could dump the physical memory and see what was there before you kill the box. Good luck.
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nikhil Wagholikar Sent: Thursday, August 07, 2008 12:17 AM To: security-basics () securityfocus com Subject: Re: tools to run on compromised linux box Hi Lister, Since the Linux machine is already compromised, its recommended to boot into an alternate operating system and start investigating the compromised system. There are many Bootable Forensics CDs out in market one of the popular out of them is HELIX. Besides this, NII Consulting has developed a open source tool named 'LINReS', which is used to perform Live incident response of a compromised Linux machine. LINReS is basically a software/tool in which all the useful Linux commands (such as netstat, netcat, lsof, dir, ls, ps etc) are statically compiled and packed in an archive. Hence an Forensic investigator can easily relay on LINReS, since you may never know, if the commands/binaries of the compromised Linux machines are replaced by hacker i.e. root kitted. More Information: Helix: http://www.e-fense.com/helix/downloads.php LINReS: http://www.niiconsulting.com/innovation/linres.html Best of Luck !! --- Nikhil Wagholikar Practice Lead | Security Assessment NII Consulting Web: http://www.niiconsulting.com/ Security Products: http://www.niiconsulting.com/products.html On Wed, Aug 6, 2008 at 5:20 AM, <lister () lihim org> wrote:Can anyone recommend some tools to run on a compromised linux box to determine if there is further infestation? (rootkits, etc).
Current thread:
- tools to run on compromised linux box lister (Aug 06)
- Re: tools to run on compromised linux box Sukbum Hong (Aug 06)
- Re: tools to run on compromised linux box Nikhil Wagholikar (Aug 06)
- RE: tools to run on compromised linux box Murda Mcloud (Aug 06)
- Re: tools to run on compromised linux box Ansgar -59cobalt- Wiechers (Aug 07)
- RE: tools to run on compromised linux box Murda Mcloud (Aug 07)
- RE: tools to run on compromised linux box Murda Mcloud (Aug 06)
- Re: tools to run on compromised linux box Adriel Desautels (Aug 06)
- Re: tools to run on compromised linux box Erin Carroll (Aug 06)
- Re: tools to run on compromised linux box linux.gheek (Aug 06)
- <Possible follow-ups>
- Re: tools to run on compromised linux box jason . gerfen (Aug 06)