Re: Linux - Indicators of compromise

[Giles Coochey <giles () coochey net>]

On 16/07/2012 14:48, Gary Baribault wrote:
> I suggest one of the first answers was the good one, intercept the 
> traffic routed to the internet with TCPDump. Filter out the normal 
> traffic and see what's left. All compromised systems talk to the 
> Internet to dump data or route spam. Be patient, some systems talk all 
> the time, some once an hour .. but you will find some unexplained 
> traffic. Once you do find that you're infected, don't bother cleaning 
> up the system, format and restore the data!
> Gary Baribault
> Courriel:gary () baribault net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
+1, but note you cannot trust tcpdump on the compromised system, even if 
the md5 matches the kernel might screen the packets you're looking for.
Run tcpdump on a trusted system that has a copy of the traffic from the 
switchport that your suspect system (e.g. Cisco SPAN or rSPAN).
Otherwise, if your router supports a similar feature (or you have a 
router that supports tcpdump, then you can check there.

Note that the traffic could be encapsulated in another protocol. ICMP 
echo / reply payloads have been used in the past as covert communication 
channels, as has IP protocol 41 (IPv6 encapsulation over IPv4) and IP 
protocol 47 (GRE).

--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles () coochey net

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/