Loading ...
Sorry, an error occurred while loading the content.

Re: [linux_forensics] Attack of the ATVs - (advanced volatile threats) ....

Expand Messages
  • Dave Dittrich
    P.S. To keep this on-topic and less of a rant, Linux Slapper is actually a really good classroom exercise for Linux forensics. It compromises an exposed
    Message 1 of 3 , Feb 26, 2013
    • 0 Attachment
      P.S.

      To keep this on-topic and less of a rant, Linux Slapper is
      actually a really good classroom exercise for Linux
      forensics. It compromises an exposed service, downloads
      source code, compiles it, runs it, and deletes it. This
      leaves the worm running in memory, but you can't see it
      on disk, and if the system uses an EXT3 file system,
      you can't easily find the i-nodes that held the source
      code (they get zeroed out). You can, however, use some
      facts about when the worm activity was detected to
      get a narrow time frame, then use the disk locality
      affinity of allocation of i-nodes to narrow
      down the range of where on disk those i-nodes *might*
      have been held. It is then a simple task of carving out
      the C source code and Makefile and voila! You can
      reconstruct the worm!

      --
      Dave Dittrich
      dittrich@...
      http://staff.washington.edu/dittrich

      PGP key: http://staff.washington.edu/dittrich/pgpkey.txt
      Fingerprint: 097B 4DCB BF16 E1D8 A06C 7512 A751 C80A D15E E079
    Your message has been successfully submitted and would be delivered to recipients shortly.