Re: [LUG] Compromised :-(

To: list@xxxxxxxxxxxx
Subject: Re: [LUG] Compromised :-(
From: Jon Still <jon-pop@xxxxxxxxxxx>
Date: Sat, 28 Dec 2002 21:28:19 +0000
Reply-to: list@xxxxxxxxxxxx

Mark,

If you can keep a copy of the binary, it's quite often worth doing some forensics on it - check it out with file, ldd, et al and pass it through 'strings' to see if there's any info, logs etc. Failing that try telnet/nc to the port that it's listening on - usual caveats apply about disconnecting from outside world, etc.

Also, use 'find' to find any files mode 777 or any spurious SUID executables. There's also a piece of software called 'The Coroners Toolkit' by Wietse Venema and Dan Farmer (of SATAN fame).

http://www.porcupine.org/forensics/tct.html It may help in finding any other files that were modified pre/post attack.

If you like, you can send me a copy of the binary and logs and I'll see what I can come up with.

Jon.

--
Jon Still                               E-mail: jon@xxxxxxxxxxx
tertial.org                             Web:    http://www.tertial.org/
GPG Key: http://xanthein.net/key.asc    Key ID: 0x00493D2B


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.

References:
- [LUG] Compromised :-(
  - From: Mark McRitchie

Prev by Date: Re: [LUG] Help the aged
Next by Date: Re: [LUG] Help the aged
Previous by thread: Re: [LUG] Compromised :-(
Next by thread: Re: Re: [LUG] how to add a disk with fat 32 partition - identifying
Index(es):
- Date
- Thread

Lynx friendly