[snip] > - any other recommendations? I'm pretty proficient in linux, > but this is the first time > ive ran into a hacked box. from my past reading, i know the > steps are to try and recover > any data not malformed and reinstall. any other pointers? you should try to do an offline investigation of the system, by getting an 'image' of the entire drive as soon as possible. then work off of a copy of that image. this will allow you to work in a controlled environment, and get the 'dirty' host back up and running. the coroners toolkit, task, encase, and nti can help in offline analysis. these tool suites allow you to retrieve and view the device image safely and even view deleted data among other things... http://www.fish.com/tct/ http://www.atstake.com/research/tools/task/ dd, encase, and safeback can yield device images. -dave ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 15:19:37 PDT