On 15 Apr 2002, Joshua Newman wrote: > Thanks for all the postings and the advice. > > I tarred up /etc /var/log/messages /lib/security/.config /proc/9325 > and /proc/9335 /usr/bin/ssh2d > > and the *.old and *.new for find, df, > du, ps; where .old is with the corrupt rootkit and .new is with the > reinstalled (pure) rpm versions. > > they total about 4mb and I don't want to inundate gaffle. Is there a > better way to send it? Is there anything else you would want? the only > stuff that isn't on there that looks like it showed up from the diff > was /dev/sdq1-15.
for giggles, even though you replaced a lot of the compromised binaries, could you make me a tarball of your /proc directory? thanks. mail it directly to me. it isn't ideal, as from a forensic standpoint, we can't really guaruntee any type of integrity. but, we might be able to figure out what they used to compromise the machine. a lot of times, if it is a script kiddie, they don't do a very good job of covering up the initial compromise. they are sloppy. > Hope this helps. > btw, it's a 40gb HD. yeah, it helps. ideally, a sector by sector image of the disk would be best. if this was a machine in any position to warrant legal action then you'd be hard pressed to provide any type of valid forensic evidence. rule of thumb for everyone who gets compromised: it's always best to image the most volatile system components (memory, process tables, filesystem, disk -- in that order) before doing anything. do this with known good tools running from cd-rom. if you don't, it taints the forensic value of the information. it's equivelant to the cops coming in to a crime scene and painting the walls before doing anything else. also, if you ever need to go to court, the cleanest information is best. -- christian void - [EMAIL PROTECTED] www.morphine.com/void/ gpg key available on request _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
