[1748] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Trying to recover erased logs

daemon@ATHENA.MIT.EDU (Dave Airlie)
Wed May 13 17:25:30 1998

Date: Wed, 13 May 1998 14:35:23 +0100 (IST)
From: Dave Airlie <david.airlie@ul.ie>
In-reply-to: <Pine.LNX.3.95.980512172109.10441A-100000@ferret.lmh.ox.ac.uk>
To: Chris Evans <chris@ferret.lmh.ox.ac.uk>
Cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


Just as an aside on this subject, a system I work on had all files owned
by its web a/c rm-ed recently through a faulty cgi script someone had
uploaded, this removed the web-logs but did not cause apache to crash, so
as long as the single apache httpd process was running we were able to
grab the logs from /proc/<pid>/fd of that process, this caught the
attacking site and any other info we needed ...

Dave.

On Tue, 12 May 1998, Chris Evans wrote:

> 
> Hi,
> 
> I've had several people ask me about a comment I made in a previous post;
> 
> <quote>
> 
> Dan, firstly, if you haven't touched the compromised system much, do a
> "dd" across the raw disk and grep it for log fragments. I have seen vital
> erased logs recovered this way before!
> 
> </quote>
> 
> I shall try and explain a bit more!
> 
> If an attacker erases, or truncates a log, the information in it is lost
> to the filesystem, but might well still be physcially on the disk,
> particularly if the filesystem /var/log is on, isn't too busy.
> 
> So if you act quickly, and /var/log filesystem is quiet, some blocks that
> still contain old valuable log info, might still be on the disk.
> 
> If /var/log is part of (eg.) /dev/hda1, then yuou might try
> 
> dd if=/dev/hda1 | grep "connect from"
> 
> I have seen this command executed on a system compromised through imapd.
> The logs were erased, but the command picked out the ip address of the
> attacker which was recorded by tcp_wrappers when he connected to exploit
> the old imapd vulnerability. That information was still on the physical
> disk.
> 
> Cheers
> Chris
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
> 
> 

------------ David Airlie, David.Airlie@ul.ie,airlied@skynet --------
Telecommunications Research Centre, ECE Dept, University of Limerick \
http://www.csn.ul.ie/~airlied	-- Computer Engineering Postgrad      \
--- TEL: +353-61-202695 -----------------------------------------------

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post