lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 16 Jul 2012 15:35:43 +0100
From: Giles Coochey <giles@...chey.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux - Indicators of compromise

On 16/07/2012 14:48, Gary Baribault wrote:
> I suggest one of the first answers was the good one, intercept the 
> traffic routed to the internet with TCPDump. Filter out the normal 
> traffic and see what's left. All compromised systems talk to the 
> Internet to dump data or route spam. Be patient, some systems talk all 
> the time, some once an hour .. but you will find some unexplained 
> traffic. Once you do find that you're infected, don't bother cleaning 
> up the system, format and restore the data!
> Gary Baribault
> Courriel:gary@...ibault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
+1, but note you cannot trust tcpdump on the compromised system, even if 
the md5 matches the kernel might screen the packets you're looking for.
Run tcpdump on a trusted system that has a copy of the traffic from the 
switchport that your suspect system (e.g. Cisco SPAN or rSPAN).
Otherwise, if your router supports a similar feature (or you have a 
router that supports tcpdump, then you can check there.

Note that the traffic could be encapsulated in another protocol. ICMP 
echo / reply payloads have been used in the past as covert communication 
channels, as has IP protocol 41 (IPv6 encapsulation over IPv4) and IP 
protocol 47 (GRE).

-- 
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles@...chey.net


Content of type "text/html" skipped

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4941 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists