Security Incidents mailing list archives
Re: Linux box 'infected' with RK15
From: Neal Dias <ndias () sunglasshut com>
Date: Fri, 23 Mar 2001 10:57:04 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since your goal is investigation, I would concur with Toby and HIGHLY recommend Dave Dittrichs document at the url Toby provided.(http://staff.washington.edu/dittrich/misc/forensics). Dave's pages give a wealth of information regarding forensics and investigation. I would also recommend perusing the results of the Honeynet Project Forensic Challenge. Not only interesting reading, but provides some insight into the specific steps taken, and tools used in a forensic analysis http://project.honeynet.org/challenge/results/ Neal Dias UNIX Systems Administrator, Sunglass Hut International, MIS Dept. office: (305) 648-6479 wk. email:NDias () sunglasshut com mobile: (786) 368-5742 pvt. email:emperor () netlsd com ********************************************************************** Whoever fights monsters should see to it that in the process he does not become a monster. And when you look into an abyss, the abyss also looks into you. -Nietzsche Any opinions expressed above or below are entirely my own and may not reflect those of my employers. The information contained in this e-mail message is confidential, intended only for the receipt and use of the individual(s) or entity(s) named above. If the reader of this email message is not the intended recipient, or the employee or agent responsible for its delivery to the intended and or addressed recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited except at the express consent of its author.
-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM] Sent: Thursday, March 22, 2001 12:05 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Linux box 'infected' with RK15 Hi again, I perhaps should have made this clear earlier: I am not wanting to get this box back into production. It has been replaced (properly) by myself. The machine with the RK15 rootkit has been assigned to me for investigation. Thanks, --
Sean Kelly <lists () shortestpath org> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOrucgMUVRGLQ1PaaEQKhMwCg2mNJfFqe2vb8vFbsR/r6WxikMZQAn09H axvAliXBDWq5GuzPYvnyPyiB =G13Y -----END PGP SIGNATURE-----
Current thread:
- Linux box 'infected' with RK15 Sean Kelly (Mar 21)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)
- Re: Linux box 'infected' with RK15 Thomas Roessler (Mar 23)
- Re: Linux box 'infected' with RK15 Jim Roland (Mar 22)
- <Possible follow-ups>
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 21)
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 22)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 23)
- Re: Linux box 'infected' with RK15 Neal Dias (Mar 23)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)