I am teaching a class in computer forensics this fall term and want to give an assignment for students to investigate a machine that has been compromised. I would like the machine to have been compromised by me using a rootkit that includes at least some source. I have an image of a system that was compromised with t0rn, but the images are all too large to be easily used. My plan is to build a linux system using very small (about 200 MB) disks. The idea is then to rootkit this machine from another box. I'll put them on a private network so that I can be sure it was me who did the compromising. I'll then make the hard drives available on a different machine (unmounted) and let the students begin with imaging drives and go all the way through report writing. Does anyone know of a rootkit that has at least some source that would be good for this. I can build the machine from any version linux 6.0 or above. The reason for the source code is that I intend to shut down the compromised machine after deleting the source tree so that there is source code as well as binaries in the deleted space. Of course, I could be slightly insane, but that's another issue... --mark --- Mark Morrissey markemat_private Lecturer in Computer Science www.cs.pdx.edu/~markem ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 03:48:53 PDT