Full Disclosure mailing list archives
Re: Linux - Indicators of compromise
From: Michael Stummvoll <fulldis () stummi org>
Date: Mon, 16 Jul 2012 11:20:55 +0200
Greetings FD,
Hi
Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise?
First thing: You can NOT surely determine if a machine is compromised within the machine itself. Once a machine is compromised it can (theoretical) react to all your approach to detect it and manipulate the output of your tools. If there is something compromised there is a high chance that it has to communicate to somebody. So you could dump the network traffic on your router or add an (transparent) networklogger between your machine and the router. Another way would be shutting down the machine an analyzing it with an live-cd. But there is not a general way to go sure, its compromised or not. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux - Indicators of compromise Ali Varshovi (Jul 16)
- Re: Linux - Indicators of compromise Michael Stummvoll (Jul 16)
- Re: Linux - Indicators of compromise valdis . kletnieks (Jul 16)
- Re: Linux - Indicators of compromise Gary Baribault (Jul 16)
- Re: Linux - Indicators of compromise Benji (Jul 16)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 17)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 17)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 19)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 18)
- Message not available
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 18)
- Re: Linux - Indicators of compromise Leutnant Steiner (Jul 20)
- Re: Linux - Indicators of compromise Gary Baribault (Jul 16)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 25)