Quote:
Originally Posted by ntxploits
Turn off all official root processes and all user processes.
Anything lest over may be from the hacker.
|
Besides the fact I like what you're doing (reading which means preparing which is a Good Thing) a few remarks if I may:
- finding leftovers will only work if the processes where not hidden by a rootkit. If that is the case you may find evidence by using additional tools but that depends on what rootkit is used. Sometimes it may be as simple as touching a file or sniffing network traffic (kiddies love IRC).
- One should not trust only the processes'
argv[0] to determine the functionality of a process. Stupid example: a cursory glance at the process list shows a process "/usr/bin/httpd 1m" (which was set up as '/bin/doexec /bin/sleep /usr/bin/httpd 1m') while using 'readlink -f /proc/$PID/exe' or 'lsof -w -n -p $PID' reveal it's not a HTTP daemon but /bin/sleep.
- finding *no* leftovers is no "evidence" the process list is clean. If there is any unexplainable behaviour out of the ordinary, any gut feeling, any doubt at all *do act on it* and not shrug it off.
Next to that
use a checklist and don't skip steps without good reason. A checklist helps you to go through necessary steps in an orderly fashion and making sure you don't miss checking things. At this forum we promote the Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html. Other links of interest you may find in the (slightly aging) LQ FAQ: Security references:
http://www.linuxquestions.org/questi...threadid=45261.
Good luck.
Quote:
Originally Posted by Bruce Hill
If that doesn't do what you want, Google for "ckrootkit" and go with it.
|
* One problem is disturbing the crime scene. If there's any suspicion of malicious activity you shouldn't introduce things without reasoning that could wipe evidence. Your options are: installing auditing tools right after a clean O.S. install, running tools from CDROM or if that is impossible accepting the trade-off and install post-incident. In the latter case at least build the toolkit on another box, see if you can run them from /dev/shm and if that won't work (no benefit since already too much swapping, need of "real" fs) install on disk.