Educause Security Discussion mailing list archives
Re: SSNs, rootkits, Incident Response, etc...
From: Gary Dobbins <dobbins () ND EDU>
Date: Thu, 6 Jul 2006 16:55:11 -0400
If all your servers have uniform OS images, you may be able to achieve part of your goal using the free version of Tripwire (with a retroactive config file based on the image) . It could help determine if the base OS files are intact. Normally, TripWire is a pre-incursion detective tool, but when the intended state is known, it may also help as a post-hoc tool. Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies John Tooley wrote:
Very interesting. We (ISO) have been asked to run assessments on ALL (200+) servers in our environment after one of our systems was compromised. So we are trying to come up with a toolkit to scan for compromises (rootkits, Trojans, etc.) and has secure reporting abilities. One of the challenges is just finding tools that work on all our flavors...Windows, Unix (HP, Alpha), Linux, Solaris. And the greatest challenge is finding something straightforward enough to use so we can give this to our tech's to run and they don't require a forensics' background! So where's the beta :) JT John R. Tooley, CISSP Information Security Analyst California State University, Northridge -----Original Message----- From: Gary Golomb [mailto:coach () GWU EDU] Sent: Thursday, July 06, 2006 6:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] SSNs, rootkits, Incident Response, etc... Hi there all- There's been a few threads touching on this over the past few months, so I figured I'd throw this out to the list... We have a custom-developed application (not a script/wrapper) that performs incident response functions, searches for social security numbers, probes for kernel-level rootkits, searches for trojans commonly missed by virus scanners, encrypts/uploads reports, etc, etc.... See the attached file for more information. (Hopefully it goes though... If not, I'll make a follow-up post with more details...) My questions are: - Who else has something like this or is using something like it already? - How much interest would others have in *really* using it? Thanks in advance. Off list replies are fine with me... -gary ------ Gary Golomb Computer Forensics Engineer ISS/Network Systems Security 801 22nd St NW Rm B204A Washington, DC 20052 coach () gwu edu http://home.gwu.edu/~coach
Current thread:
- SSNs, rootkits, Incident Response, etc... Gary Golomb (Jul 06)
- <Possible follow-ups>
- Re: SSNs, rootkits, Incident Response, etc... Graham Toal (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... John Tooley (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... John (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... Gary Dobbins (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... Gary Golomb (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... Graham Toal (Jul 07)
- Re: SSNs, rootkits, Incident Response, etc... Valdis Kletnieks (Jul 07)
- Re: SSNs, rootkits, Incident Response, etc... Alan Amesbury (Jul 18)