On Sat, 8 Feb 2003, Shawn M. Jones wrote: > Yes, indeed, but how do you prevent the ps from using a tampered glibc or > other libs? I usually statically compile a standard set of utilities (ls, > ps, netstat, chkrootkit, etc.), tar.Z them up (some systems still don't > have gzip or bzip2) and dump the tools into a working directory on the > "suspect" system. Then I set my path to utilize that directory during my > inspection. This limits the toolset such that all I have to worry about > is a tampered shell.
Just a reminder that you don't want to modify the suspect system if you're trying to maintain forensic evidence... booting off of clear, read-only media is generally a better choice. Of course if your goal is simply to fix and forget, that doesn't apply. cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now."
