lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEJizbbLnVDcLVzigJsWz-cv13TvhrEFmAVe=_vcvxECgRbnbg@mail.gmail.com>
Date: Mon, 16 Jul 2012 14:55:11 +0100
From: Benji <me@...ji.com>
To: Gary Baribault <gary@...ibault.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux - Indicators of compromise

" All compromised systems talk to the Internet to dump data or route spam."

yup, this is 1000% true and utterly foolproof.


On Mon, Jul 16, 2012 at 2:48 PM, Gary Baribault <gary@...ibault.net> wrote:
> I suggest one of the first answers was the good one, intercept the traffic
> routed to the internet with TCPDump. Filter out the normal traffic and see
> what's left. All compromised systems talk to the Internet to dump data or
> route spam. Be patient, some systems talk all the time, some once an hour ..
> but you will find some unexplained traffic. Once you do find that you're
> infected, don't bother cleaning up the system, format and restore the data!
>
> Gary Baribault
> Courriel: gary@...ibault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> On 07/16/2012 09:40 AM, valdis.kletnieks@...edu wrote:
>
> On Sat, 14 Jul 2012 12:46:50 -0000, "Ali Varshovi " said:
>
> Most of the materials I've seen are more aligned to malware and rootkit
> detection which is not the only concern apparently.
>
> It's hard to say what else to check without knowing what other concerns
> you're checking for, and what data sources are available (I'm thinking about
> auditd and friends, but there's other data sources as well).
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ