[Plug-security] Once cracked

Wes Bateman plug-security@lists.PLUG.phoenix.az.us
Mon, 10 Sep 2001 01:02:46 -0500 (CDT)


I would back up my /home if it had any value at all.  You can verify info
by hand later if need be.

Because, as David  Sinck mentioned, LKMs are scary, I prefer to run
kernels that don't support modules.  Makes some things more of a hassle
sometimes, but I just build a kernel for whatever hardware I'm running on,
etc.

To do forensic work on the box, I wouldn't trust the system itself at all.  
I'd personally either boot from a rescue disk (check out linuxcare.com for
one which I've had good success with - the business card CD's are cool if
you get one, but you can download the iso and source and roll your own
onto a conventional CD.  Otherwise, I'd pull the drive(s) and mount them
in another, trusted host.  Then you can go over the logs, .history files,
etc.  This way you can run a trusted kernel, with trusted binaries, and
work with data that is mounted readonly.  If you don't already have
collections of md5sums for your system, you can find such collections for
default installations of various OSes.  Dan Farmer has such a library
buried away at fish.com actually.

Anyhow, just my thoughts :)  Good luck,

Wes

-- 
Wes Bateman, GCIA
Chief Security Officer
ManISec, Inc. - "Managed Internet Security Services"
http://www.manisec.com
wes@manisec.com