Forensic Analysis of a Live Linux System, Part Two
Grok Headline matches for Forensic Analysis of a Live Linux System, Part Two
Forensic analysis
Forensic analysis
03/14/2005 06:21 PMWell, most of the stuff is up and running (apart from all mailing
lists). The
Finnish blog awards are
now back up and running, and even my normal email works now!
Here's a quick rundown on what happened:
- On Saturday, at about 23:25 person A using a machine from Brazil
executed a series of commands using an awstats vulnerability (yes, we had
it patched to the latest stable; no, apparently it was not enough).
- He was quiet for about 20 minutes, but at about 23:35 two other
attackers B and C (or the same) from Italy and UK almost
simultaneously launched a similar attack on the server.
- Person B was able to run "adduser" at 23:45 and add
himself an account, logging in and promply downloading a rootkit which
allowed him to have root privileges
- Person B then attempted to deface the site, but failed (thanks to
the pretty hairy configuration we have over here)
- Person A returned at this point, and tried to execute a new
attack, suggesting that he was not able to gain access before
- Person B ran "rm -rf /" on the server, starting to
delete everything at about 23:55, presumably to cover his traces. Our
logs end at 0:06, when the final daemons failed.
- I received first warning at 0:15. Luckily memory-resident
processes kept running for some time, so I was able to inspect the
situation and the machine was physically disconnected at about 1 am.
Sunday was mostly used to reinstall a completely new system and do
a forensics analysis on the deleted partitions. Sleuthkit turned to be invaluable
in reconstructing the deleted local log files (so yes, we have the
exact times, methods, and IP addresses). Yes, it works on ext3 as
well.
I have backed up most of the necessary stuff daily, so there is
little that was lost permanently. Unfortunately I had not stored all
the necessary config files, which is why system recovery took longer
than expected. Also, due to an oversight none of the mailing lists
were backed up, so once we have them established again, ya'll have to
resubscribe. Very sorry about that :-/
WiebeTech announces two forensic data
analysis products
WiebeTech announces two forensic data
analysis products
12/16/2003 10:09 AMOn Monday, storage solutions company
WiebeTech announced the arrival of
two new products designed to assist with forensic data analyses. The
first one, Forensic ComboDock, is a write-blocked FireWire 800/400 and
USB2 bridge for 3.5" IDE drives. It allows investigators to read data
from a drive without writing any data to it. An optional adapter board
is available for use with serial ATA drives.
FCCU GNU/Linux Forensic Bootable CD 7.2
(Default branch)
FCCU GNU/Linux Forensic Bootable CD 7.2
(Default branch)
03/19/2005 03:22 AM
FCCU GNU/Linux Forensic Bootable CD is a
bootable CD based on KNOPPIX that contains
a lot of tools suitable for computer forensic
investigatins, including bash scripts. Its main
purpose is to create images of devices prior to
analysis, and it is used by the Belgian Federal
Computer Crime Unit.
Changes:
The brand new SleuthKit 2.0 was added. There is support for
LVM and hfsplus. Tools added include lshw, scsitools, glark,
mdbtools, gpsd, and more.
FCCU GNU/Linux Forensic Bootable CD 8.0
(Default branch)
FCCU GNU/Linux Forensic Bootable CD 8.0
(Default branch)
04/12/2005 05:18 PM
FCCU GNU/Linux Forensic Bootable CD is a
bootable CD based on KNOPPIX that contains
a lot of tools suitable for computer forensic
investigatins, including bash scripts. Its main
purpose is to create images of devices prior to
analysis, and it is used by the Belgian Federal
Computer Crime Unit.
Changes:
This release is based on Knoppix 3.8.1. It includes the Sleuthkit
2.01. dcfldd is included. A lot of packages were added.
Querying SQL Server 2000 system tables
directly. Part 2: master..sysprocesses
system table
Querying SQL Server 2000 system tables
directly. Part 2: master..sysprocesses
system table
07/21/2004 05:59 PMQuerying SQL Server 2000 system tables
directly. Part 3: master..sysdatabases
system table
Querying SQL Server 2000 system tables
directly. Part 3: master..sysdatabases
system table
07/26/2004 05:59 PMAnalysis: Doctors a Part of Iraq Abuse
(AP)
Analysis: Doctors a Part of Iraq Abuse
(AP)
08/19/2004 07:19 PMAP - Doctors working for the U.S. military in Iraq collaborated with
interrogators in the abuse of detainees at Baghdad's Abu Ghraib
prison, profoundly breaching medical ethics and human rights, a
bioethicist charges in The Lancet medical journal.
Market Analysis System 1.6.6t3
Market Analysis System 1.6.6t3
07/31/2004 03:55 AMmarket data analysis software
Market Analysis System
Market Analysis System
12/05/2003 05:37 AMCompiling MAS on Solaris and FreeBSD
Market Analysis System 1.6.6q
Market Analysis System 1.6.6q
02/19/2004 08:00 AMmarket data analysis software
Text Analysis Markup System
Text Analysis Markup System
12/04/2003 10:45 PMTAMS Analyzer 2.38b1 released
NEC to develop network security analysis
system
NEC to develop network security analysis
system
03/23/2005 03:22 PMTechWorld Mar 23 2005 6:01PM GMT
NEC developing network security analysis
system
NEC developing network security analysis
system
03/23/2005 09:32 AMNEC is developing a network security system that will automatically
monitor and analyze the configuration of security tools deployed in a
network and suggest changes to fix vulnerabilities and any
redundancies that exist between them, the company announced Tuesday.
Metrohm introduces capsule analysis
system
Metrohm introduces capsule analysis
system
04/15/2005 04:39 AMLabTechnologist.com Apr 15 2005 8:23AM GMT
Live from Etech: Digital Democracy Part
II
Live from Etech: Digital Democracy Part
II
02/10/2004 02:46 AMTwo more Digital Democracy Teach-In events come and go. The guys
from meetup.com put together a
couple of presentations including some useful statistics and a few
nice punchlines, but I'm not sure I learned anything particularly new
during it. Certainly I didn't feel my head trying to articulate itself
into any strange new shapes. And next up the political weblogging
panel, which I've decided to abandon almost on principle - not
because it's about weblogs, but because political weblogging as an end
unto itself seems to me not to have matured past tabloid tactics of
name-calling, mischaracterisation and "Am I right? Am I
right?"-style calls to the converted. My general impression of
this part of the event is that it's more aimed at explaining current
fairly-mainstream technologies and approaches to politicos rather than
looking at the emergent technologies that might interest the geekier
audiences (and me).
Read the comments
Linux in Government: Linux Desktop
Reviews, Part IV - Linspire
Linux in Government: Linux Desktop
Reviews, Part IV - Linspire
04/11/2005 05:31 AMFurthering the process of introducing and innovating Linux.
Linux in Government: Linux Desktop
Reviews, Part 6 - Ubuntu
Linux in Government: Linux Desktop
Reviews, Part 6 - Ubuntu
04/19/2005 06:01 AMIn less than a year, this free Linux distribution has become the most
popular.
Digital pen and paper system speeds up
customer research analysis
Digital pen and paper system speeds up
customer research analysis
04/18/2005 03:59 AMComputer Weekly Apr 18 2005 8:12AM GMT
qpopper timing analysis on to determine
if a username exists on a system
qpopper timing analysis on to determine
if a username exists on a system
03/15/2003 06:22 PMDennis Lubert (Mar 15 2003)
Linux in Government: Linux Desktop
Reviews, Part III
Linux in Government: Linux Desktop
Reviews, Part III
03/28/2005 08:20 AMRed Hat Linux Desktop is in a class of its own.
Linux in Government: Linux Desktop
Reviews, Part IV - JDS
Linux in Government: Linux Desktop
Reviews, Part IV - JDS
04/04/2005 04:30 PMTrying to get a feel for Sun's Linux Java Desktop System.
Linux in Government: Linux Desktop
Reviews, Part II
Linux in Government: Linux Desktop
Reviews, Part II
03/22/2005 04:22 PMFocusing on the best desktop candidates for deployment in enterprises;
taking a look at Novell Linux Desktop 9.
Linux in Government: Linux Desktop
Reviews, Part I
Linux in Government: Linux Desktop
Reviews, Part I
03/14/2005 05:25 PMA new series focusing on the best desktop candidates for deployment
in enterprises starts with a look at Xandros Business Edition.
Symantec DeepSight Threat Management
System Analysis: Client-side
Exploitation
Symantec DeepSight Threat Management
System Analysis: Client-side
Exploitation
06/25/2004 05:26 PMDavid Ahmad (Jun 25 2004)
Analysis: Linux looks for new worlds to
conquer
Analysis: Linux looks for new worlds to
conquer
01/22/2004 04:50 AMOnline planning system goes live
Online planning system goes live
07/28/2004 11:26 AMA new online system will allow people to seek permission to alter
their homes and object to other plans.
Querying SQL Server 2000 system tables
directly. Part 1: master..sysaltfiles
and master..sysconfigures system tables
Querying SQL Server 2000 system tables
directly. Part 1: master..sysaltfiles
and master..sysconfigures system tables
07/20/2004 05:58 PMServerShots - Alternative Game Status
System Goes Live
ServerShots - Alternative Game Status
System Goes Live
06/25/2004 02:08 AMServerShots is an alternative game server status tool that allows you
to detect a server's status, settings, and number of players. The
tracker supports some of the industry hottest games, from Battlefield
1942 & Vietnam, to Halo: Combat Evolved, the Unreal series, Quake,
Halflife (the extensive list goes on!) and provides quick, simple,
easy access to information about your server. [PRWEB Jun 25, 2004]
Linux Live 4.1.2
Linux Live 4.1.2
05/26/2004 02:41 AMA set of scripts for creating a live Linux distribution.
Linux Live 3.0.24
Linux Live 3.0.24
01/02/2004 05:55 AMA set of scripts for creating a live Linux distribution.
Live Linux CDs
Live Linux CDs
02/19/2004 01:33 AMDistribuciones live CD .. List of Linux live
CDs
frozentech.com/content/livecd.php
track this
site | 5 links
Linux Live 4.2.0
Linux Live 4.2.0
07/23/2004 09:45 AMA set of scripts for creating a live Linux distribution.
Linux Live 4.1.4
Linux Live 4.1.4
07/08/2004 02:03 AMA set of scripts for creating a live Linux distribution.
SANS - Internet Storm Center -
Cooperative Cyber Threat Monitor
And Alert System - Current Infosec
News and Analysis
SANS - Internet Storm Center -
Cooperative Cyber Threat Monitor
And Alert System - Current Infosec
News and Analysis
08/19/2004 08:15 AMSANS - Internet Storm Center - Cooperative Cyber Threat Monitor And
Alert System - Current Infosec News and Analysis .. 20 minutes ..
graph
isc.sans.org/survivalhistory.php
track this
site | 4 links
Linux in Government: Linux System
Administrators
Linux in Government: Linux System
Administrators
03/14/2005 05:25 PMIf you're looking to hire a Linux sysadmin, you might need to rethink
your hiring guidelines and practices.
Defeating Honeypots: System Issues, Part
2
Defeating Honeypots: System Issues, Part
2
04/11/2005 03:30 AMPhase-Change Cooling System, Part II
Phase-Change Cooling System, Part II
03/30/2005 05:27 PMComputer Power User Mar 30 2005 9:57PM GMT
SLAX Linux Live CD 4.1.4
SLAX Linux Live CD 4.1.4
08/30/2004 06:26 AMList of Linux Live CDs
List of Linux Live CDs
07/08/2004 05:30 PMGrok Description matches for Forensic Analysis of a Live Linux System, Part Two
GrokA matches for Forensic Analysis of a Live Linux System, Part Two
Forensic Analysis of a Live Linux System, Part Two
