[tclug-list] {Spam?} Re: Linux system "hack" attempt

Wed Mar 22 17:02:36 CST 2006

HELIX is my new favorite forensic distro partially as it includes LinEn 
(Linux Encase) for acquisition of target systems but mostly as it is has 
all the tools I need, detects all hardware and systems I've tried and 
especially as is especially designed to be forensically sound and will 
not touch the target file system at all.  Some distros will detect swap 
space and mount it which is a big issue or automount all discovered 
partitions neither one are forensically sound.

http://www.e-fense.com/helix/

--j

G. Scott Walters wrote:
> You also might try booting the system (off the network) with a distro 
> like P.H.L.A.K. or FIRE. I know there are a couple other forensic boot 
> distros, but those are the two I've used most.  Any other good 
> forensic distros out there?
>
> On 3/22/06, *Dave Carlson* <thecubic at thecubic.net 
> <mailto:thecubic at thecubic.net>> wrote:
>
>     On Wednesday 22 March 2006 09:55, Loren H. Burlingame wrote:
>     > I recently noticed that a system I am responsible for was
>     sending out
>     > a bunch of spam messages. I logged into it and sure enough it was a
>     > cracked user account which was responsible.
>
>     Unplug the network cable, reboot with a utility CD, make a backup
>     image (with
>     dd/tar/whatever) onto another media, and reload from system disks.
>
>     > I immediately locked down SSHD to certain users with strong
>     passwords
>     > (should have done this before, I know), killed the offending
>     processes
>     > and looked for replaced executables.
>
>     If they've gotten root (which they may have), going through ssh is
>     a burden.
>     They may have installed a rootkit and can still get what they want.
>
>     > Fortunately, the "hacker" (more like script kiddie) was not able to
>     > get access to root by the look of it. Also they managed to not
>     delete
>     > their .bash_history file.
>
>     Never trust log files when a compromise has happened, unless
>     they're remotely
>     captured onto a secured host.  Even then they can be trusted only
>     up to the
>     compromise.
>
>     Dave Carlson
>
>
>     _______________________________________________
>     TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
>     tclug-list at mn-linux.org <mailto:tclug-list at mn-linux.org>
>     http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
>
>
>
>
>
> -- 
> -
> G. Scott Walters
> http://www.apt518.net
> ------------------------------------------------------------------------
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>   