Re: [OOT] System forensic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 20, 2010 at 11:23, Kousik Maiti <maiti.kousik@xxxxxxxxx> wrote:
> Hi list,
> This may be irrelevant question.
> I have a system which was successfully  attached by some hackers . I want
> to diagnostics it. I tried to google it but don't get any doc . Is there any
> documentation so that I can check the system?

First of all, don't trust your system anymore. Reboot, pick a live CD
distro, better the ones like Helix or FCCU that specifically made for
forensic need, then boot it. This is done to avoid any active rootkit
or modified shared libs to be active.

Then check your whole system using programs like rkhunter. Also, it
also worth to check for viruses using ClamAV or any other anti virus.
If you're using rpm (I think other packaging system could do it too,
but I am not suer), you can check the validity of the files using rpm
-Va. IIRC, it is using MD5 hash.

This doesn't guarantee you will found and eventually get rid all the
rootkit, backdoor the crackter might implant to your system. IMHO,
probably the best way to make sure you will start clean is backup your
data to somewhere else and reinstall your system.

NB: You might also want to do live memory forensic, but it is quite hard to do.

-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com

--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ



[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux