[1748] in linux-security and linux-alert archive
[linux-security] Re: Trying to recover erased logs
daemon@ATHENA.MIT.EDU (Dave Airlie)
Wed May 13 17:25:30 1998
Date: Wed, 13 May 1998 14:35:23 +0100 (IST)
From: Dave Airlie <david.airlie@ul.ie>
In-reply-to: <Pine.LNX.3.95.980512172109.10441A-100000@ferret.lmh.ox.ac.uk>
To: Chris Evans <chris@ferret.lmh.ox.ac.uk>
Cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Just as an aside on this subject, a system I work on had all files owned
by its web a/c rm-ed recently through a faulty cgi script someone had
uploaded, this removed the web-logs but did not cause apache to crash, so
as long as the single apache httpd process was running we were able to
grab the logs from /proc/<pid>/fd of that process, this caught the
attacking site and any other info we needed ...
Dave.
On Tue, 12 May 1998, Chris Evans wrote:
>
> Hi,
>
> I've had several people ask me about a comment I made in a previous post;
>
> <quote>
>
> Dan, firstly, if you haven't touched the compromised system much, do a
> "dd" across the raw disk and grep it for log fragments. I have seen vital
> erased logs recovered this way before!
>
> </quote>
>
> I shall try and explain a bit more!
>
> If an attacker erases, or truncates a log, the information in it is lost
> to the filesystem, but might well still be physcially on the disk,
> particularly if the filesystem /var/log is on, isn't too busy.
>
> So if you act quickly, and /var/log filesystem is quiet, some blocks that
> still contain old valuable log info, might still be on the disk.
>
> If /var/log is part of (eg.) /dev/hda1, then yuou might try
>
> dd if=/dev/hda1 | grep "connect from"
>
> I have seen this command executed on a system compromised through imapd.
> The logs were erased, but the command picked out the ip address of the
> attacker which was recorded by tcp_wrappers when he connected to exploit
> the old imapd vulnerability. That information was still on the physical
> disk.
>
> Cheers
> Chris
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
>
>
------------ David Airlie, David.Airlie@ul.ie,airlied@skynet --------
Telecommunications Research Centre, ECE Dept, University of Limerick \
http://www.csn.ul.ie/~airlied -- Computer Engineering Postgrad \
--- TEL: +353-61-202695 -----------------------------------------------
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null