On 11/27/01 at 11:35 PM, guitarlynn <[EMAIL PROTECTED]> wrote: > I put a dachsrein beta firewall up last week at the house, > it works great. My wife got into an apparent ongoing > battle in which several people in a yahoo chat room were > hit with a buffer over- flow (affecting windows client) in > the chat program. The room was actually being monitored by > a level 2 government employee that was assigned to the > room to monitor for script-kiddies, and she got one of > them. Unfortunately, the kiddie got my ip addy and DDoS'ed > it (from what I dug out of the logs before they filled). > This was fine (lol), except I cannot find any info in > auth.log and user.log. I am assuming the box has been > cracked, probably root kitted and they erased the two log > files. The box is still up and the gov official (and maybe > Charles or someone else) would like an image of the Ram > disk to analyze....particularly for a foot- print of the > attacker. > > My question, how do I make an image of the RAM disk??? Can > I simply back up the entire disk and send it, or is there > another way???
The simplest way to make an image of a disk is (assuming the relevant applications are present): dd if=/dev/<disk_device> of=- | gzip -9 -c - | nc \ some.other.machine.somewhere 18714 ...and on some.other.machine.somewhere: nc -l -p 18714 | gunzip -c - > disk.image ...I'm not sure about the parameters for gunzip, but you get the idea. Of course, if you've rebooted, your RAM disk is lost - but you knew that, certainly. Remember that everything you do will change your environment. Also remember - if you are "rootkitted", then all of your usually useful applications are now reporting what the attacker wants you to see - and not the real thing. Of course, you may not be rootkitted at all. You don't have a compiler on this box, so root kits can't be compiled. You are running glibc 2.0.7, so any precompiled root kit binary compiled on a recent distribution will segfault. You are also not running all of the glibc libraries, so a root kit binary is more likely than most to require a missing library. Also, the action of most root kit binaries is likely to be identical to their larger counterparts. Lastly, you'll probably find your disk free space to have shrunk drastically. Finally - some of what the rootkit may replace may actually be shell scripts - or even, multipurpose shell scripts. In such situations, if other programs related to the shared script start acting like one single binary, then it's been overwritten - for example, if cut & grep & who & whoami & ... all start acting like who, then someone must have replaced your shared script with a who binary. All in all, I think a root kit of Dachstein (or any LEAF) will be rather noticeable.... -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
