Hello Ingram, My tip: As you stated, you never touched the box after installation, so there's a good oppertunity to use Tripwire in your forensic analysation. Reinstall the box exactly as you made it on 2. July. Use Tripwire to get a snapshot from the system in a trusted state. Use Tripwire again with the trusted database against the compromised harddisk. Now you'll get a report of all the changes which where been made. Hope that helps Best wishes and patience Holger Reichert Holysword GbR www.holysword.de -----Ursprüngliche Nachricht----- Von: Ingram [mailto:Vailat_private] Gesendet: Montag, 29. Juli 2002 21:20 An: forensicsat_private Betreff: need further help with break in greetings community, i´m trying forensics on a real breakin for the first time and, well it´s a really difficult task. I read some papers on forensic and TCT but i´m stuck in finding out what exactly happend. 1) The Situation On Jul 2 i installed an OpenBSD 3.1 Host in our DMZ, foolish as i was i did _not_ patched it directly. This was the time when the gobbels ssh remote root exploit was released. The machine had only one open port... ssh. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 06:52:34 PDT