Re: Rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2007-10-22 at 11:48 -1000, Dave Burns wrote:
> On 10/21/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote:
> > On Sunday 21 October 2007 22:38:52 Dave Burns wrote:
> > >
> > > You can trust the results if you reboot your system from a CD,
> >
> > >From my experience, rebooting a hacked system is not a pretty good idea,
> 
> Exactly. So there are three contexts in which you are using the tools:
> 
> 1) Not sure you've been hacked, just suspicious or vigilant.
> 2) Sure you've been hacked, have not yet rebooted, looking for information.
> 3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or
> other known-good /.
> 
> In situation 1 and 2, you can't totally trust your tools, unless
> they're giving you bad news. In situation 3 your can trust the tools
> as much as you can trust the "known-good /" where they are located. So
> you're never totally sure you're in the clear.
> 
> I guess the truly paranoid might boot from a CD and do an audit
> periodically, I guess that might make me feel pretty confident. Hard
> to automate it (and may open  up new vulnerabilities), no one wants it
> happening during ordinary working hours, and I don't want to be doing
> it by hand outside ordinary hours. Yuck.

I keep a write-protectable USB FLASH disk with necessary utilities on it
such as netstat, ls, ps, rm, chattr, lsattr, find, chkrootkit, etc.  I
plug it in, mount it (typically at /media/DeHack) and do forensics such
as

    # /media/DeHack/bin/netstat -lpn

That way I know I'm using an uncompromised version of the utilities I
need.

With F7 and such, you could boot a live CD of the system and do your
forensics that way, but you won't see the hacked network stuff since the
hacked system won't be booted and the suspect stuff won't be running.
It would be a good way to get uncompromised versions of the programs
onto your forensics media, however.

Best bet: Unplug the suspect machine from your network, plug in your
dehacking tools drive (write protected, of course) and have at it.

> >To evalue my general system security I use babel
> 
> Is that comparable to nagios, or more security oriented?
> 
> gracias,
> Dave
> 
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-  Memory is the second thing to go, but I can't remember the first! -
----------------------------------------------------------------------

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux