lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Jul 2012 15:35:43 +0100 From: Giles Coochey <giles@...chey.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: Linux - Indicators of compromise On 16/07/2012 14:48, Gary Baribault wrote: > I suggest one of the first answers was the good one, intercept the > traffic routed to the internet with TCPDump. Filter out the normal > traffic and see what's left. All compromised systems talk to the > Internet to dump data or route spam. Be patient, some systems talk all > the time, some once an hour .. but you will find some unexplained > traffic. Once you do find that you're infected, don't bother cleaning > up the system, format and restore the data! > Gary Baribault > Courriel:gary@...ibault.net > GPG Key: 0x685430d1 > Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 > +1, but note you cannot trust tcpdump on the compromised system, even if the md5 matches the kernel might screen the packets you're looking for. Run tcpdump on a trusted system that has a copy of the traffic from the switchport that your suspect system (e.g. Cisco SPAN or rSPAN). Otherwise, if your router supports a similar feature (or you have a router that supports tcpdump, then you can check there. Note that the traffic could be encapsulated in another protocol. ICMP echo / reply payloads have been used in the past as covert communication channels, as has IP protocol 41 (IPv6 encapsulation over IPv4) and IP protocol 47 (GRE). -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles@...chey.net Content of type "text/html" skipped Download attachment "smime.p7s" of type "application/pkcs7-signature" (4941 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists