Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
RE: [suse-security] Incident
  • From: omicron@xxxxxxxxxxxxxxxxxx
  • Date: Fri, 9 Feb 2001 07:59:56 +0530 (IST)
  • Message-id: <Pine.LNX.4.21.0102090754440.6653-100000@xxxxxxxxxxxxxxxxxx>

Hi,
There is a package called TCT (The Coroner's toolkit),by Dan Farmer and
Wietse Venema ( the writers of tcp wrappers). It specializes in forensics of
computer security. U can look for it at
http://www.porcupine.org/forensics

the docs say....
<quote>
........we feel that it's high time
that more people knew about (and how to effectively utilize) MAC times,
the possibilities of exploring - and recovering - Unix files that were
removed or destroyed, capturing processes and their associated information
and a fair bit more besides. If nothing else, we hope that when a Unix system
has been broken into that the owner of the computer would have a chance
of capturing (if not understanding) much of the crucial forensics data
that is needed in order to understand what has happened on that system.

</quote>


On Thu, 8 Feb 2001, Markus Gaugusch wrote:

> > DON'T!! re-install until you have tried every avenue to try and find out
> > how he got in, or you might end up spending days configuring your machine
> > again, in exactly the same way and have him walk right back in after that.
> I said "put it off the net, backup, reinstall". I forgot to say, that
> the backup should be used to reconstruct the incident. He also said,
> that he was running a vulnerable version of bind. (ok, it may be
> something less obvious too, ...)
>
> Markus
>

regards
omicron
--
******
An optimist sees light at the end of every tunnel.
A pessimist fears it might be of an incoming train.

omicron@xxxxxxxxxxxxxxxxxx omicron.symonds.net

C O G I T O E R G O S U M
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


< Previous Next >
References