Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It'll work for ASCII text, but I've never done it for an entire disk. Yep, it'll be slow, but everything has a cost.
Be aware that it won't find anything that has been obfuscated - docx or pdf for example.
A replication agent sends files to a replication server whenever a file is created or modified. That data then traverses an IPS before it goes into a VPN to its destination.
The IPS is alerting on a specific signature and we see specific text in the payload. We are now trying to hunt down where that text is located. To keep this short, we know it's on two of many esxi hosts. These two hosts have about a dozen or so live vmdk's. Not all are linux boxes. McAfee took the text and made a dat for it, we ran McAfee w/o exceptions and it found nothing (we did test the dat successfully). We know the data is there somewhere, but need a better way of searching for it.
Using dd seemed to be the best/fastest was to get every disk block scrubbed looking for the match. This would at least tell us which vmdk is the one that holds the text. Once we know what vmdk it is we can then go fishing in deeper waters, etc.
I don't know about this sort of stuff at all, but does the replication agent not know, perhaps in the packets it receives or in its log, which host and vmdk the data came from?
I don't know about this sort of stuff at all, but does the replication agent not know, perhaps in the packets it receives or in its log, which host and vmdk the data came from?
Nope, the agent has no idea what the data is in a file, it simply sends it to one of many replication servers locally. There's a 1:1 mapping between replication server and esxi host. The IPS events show only two replication servers as the source IP of the traffic, so with this 1:1 mapping we know it's coming from two esxi hosts, and each host has multiple OS's running, etc.
But is using strings any better/faster than using hexdump -C ? I am not after the actual location on disk, but rather just wanting to know what disk on what vmdk has the text.
since the "slow" part is dd probably hexdump will not be faster/slower than strings. But strings is much safer. grep does not really like binary input.
since the "slow" part is dd probably hexdump will not be faster/slower than strings. But strings is much safer. grep does not really like binary input.
hexdump -C is hex + ascii
How does strings see printable ascii when output of dd is the input to strings?
Last edited by Linux_Kidd; 03-10-2019 at 02:34 PM.
Yeah, that's what strings is for, looking for a string. The example above would also show 10 lines before and after the string, the string having a minimum of 8 characters, strings defaults to 4 characters, helps lower false positives.
EDIT: I thought, just in case you would want a copy of the file, I gave you the resources to dig it out with the link I provided earlier. Since you couldn't find the string with other tools could suggest it's not in allocated space where the file system would know where it is.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.