P.S. To keep this on-topic and less of a rant, Linux Slapper is actually a really good classroom exercise for Linux forensics. It compromises an exposed service, downloads source code, compiles it, runs it, and deletes it. This leaves the worm running in memory, but you can't see it on disk, and if the system uses an EXT3 file system, you can't easily find the i-nodes that held the source code (they get zeroed out). You can, however, use some facts about when the worm activity was detected to get a narrow time frame, then use the disk locality affinity of allocation of i-nodes to narrow down the range of where on disk those i-nodes *might* have been held. It is then a simple task of carving out the C source code and Makefile and voila! You can reconstruct the worm!
-- Dave Dittrich [email protected] http://staff.washington.edu/dittrich PGP key: http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint: 097B 4DCB BF16 E1D8 A06C 7512 A751 C80A D15E E079 _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
