[1747] in linux-security and linux-alert archive
[linux-security] Trying to recover erased logs
daemon@ATHENA.MIT.EDU (Chris Evans)
Tue May 12 18:26:07 1998
Date: Tue, 12 May 1998 17:32:00 +0100 (BST)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>
To: linux-security@redhat.com
Reply-to: Chris Evans <chris@ferret.lmh.ox.ac.uk>
Resent-From: linux-security@redhat.com
Hi,
I've had several people ask me about a comment I made in a previous post;
<quote>
Dan, firstly, if you haven't touched the compromised system much, do a
"dd" across the raw disk and grep it for log fragments. I have seen vital
erased logs recovered this way before!
</quote>
I shall try and explain a bit more!
If an attacker erases, or truncates a log, the information in it is lost
to the filesystem, but might well still be physcially on the disk,
particularly if the filesystem /var/log is on, isn't too busy.
So if you act quickly, and /var/log filesystem is quiet, some blocks that
still contain old valuable log info, might still be on the disk.
If /var/log is part of (eg.) /dev/hda1, then yuou might try
dd if=/dev/hda1 | grep "connect from"
I have seen this command executed on a system compromised through imapd.
The logs were erased, but the command picked out the ip address of the
attacker which was recorded by tcp_wrappers when he connected to exploit
the old imapd vulnerability. That information was still on the physical
disk.
Cheers
Chris
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null