Re: LKM Trojan installed
From: Gwendolynn ferch Elydyr (gwen@reptiles.org)
Date: 02/11/03
- Previous message: Brian Hatch: "Re: LKM Trojan installed"
- In reply to: Shawn M. Jones: "Re: LKM Trojan installed"
- Next in thread: Systems Administrator: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Feb 2003 13:11:52 -0500 (EST) From: Gwendolynn ferch Elydyr <gwen@reptiles.org> To: "Shawn M. Jones" <smj@thresholdoflight.org>
On Sat, 8 Feb 2003, Shawn M. Jones wrote:
> Yes, indeed, but how do you prevent the ps from using a tampered glibc or
> other libs? I usually statically compile a standard set of utilities (ls,
> ps, netstat, chkrootkit, etc.), tar.Z them up (some systems still don't
> have gzip or bzip2) and dump the tools into a working directory on the
> "suspect" system. Then I set my path to utilize that directory during my
> inspection. This limits the toolset such that all I have to worry about
> is a tampered shell.
Just a reminder that you don't want to modify the suspect system if you're
trying to maintain forensic evidence... booting off of clear, read-only
media is generally a better choice.
Of course if your goal is simply to fix and forget, that doesn't apply.
cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
- Next message: Jay Beale: "Re: LKM Trojan installed"
- Previous message: Brian Hatch: "Re: LKM Trojan installed"
- In reply to: Shawn M. Jones: "Re: LKM Trojan installed"
- Next in thread: Systems Administrator: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
