RE: [MLUG] how did they break in?

["Deterding, Brent D" <EMAIL:PROTECTED>]

Ghost for Windows => dd for UNIX/Linux. dd makes a bit-by-bit copy of a
drive for later analysis. With TCT (The Coroners Toolkit) you're
probably not going to get much on an immediate basis. If you take some
time to play with it though, you may. Overall, it could be a very
valuable experience to learn.

The reason I aske about tripwire or RPMs is that they can tell yoou if a
file has been modified. RPM's use the -V verify option to compare it to
an MD5 hash database. 

dd, TCT, netstat, lsof, nmap, nessus, chkrootkit are all the tools of
the trade when it comes to forensics. Actually, check out chkrootkit -
it correctly identifies many of the more common ones. A link shouldn't
be that hard to come by - I know it's on www.sans.org somewhere. 

Hope this helps!

-- Brent

-----Original Message-----
From: Mike Miller [mailto:EMAIL:PROTECTED]
Sent: Tuesday, May 08, 2001 3:20 PM
To: MLUG membership
Subject: RE: [MLUG] how did they break in?


On Tue, 8 May 2001, Deterding, Brent D wrote:

> How about unplugging it from the network

I can do that.


> dd'ing a copy of the drive,

what does that mean?


> and analyzing that with the "The Coroners Toolkit"?

Interesting.  Found it on the web.  Hadn't heard of it before.


> A tripwire DB?

Don't have it yet.


> Installed from RPM's?

Mostly no.


> This will give you the best chance of actually learning anything
> instead of just fixing it. Make sure they don't get in again . . .

Thanks.

Mike

--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/