[lug] intrusion

[Bear Giles]

Ken MacFerrin wrote:
> 1) create a read-only cd or floppy from another machine with a trusted
> set of binaries (bash, ls, dd, file, w, find, lsof, md5sum, lsmod,
> strings, etc..).
If you have a pre-prepared disc, you'll want to use statically linked 
versions of these programs.  That will eliminate the possibility of a 
compromised libc screwing with the results.  iirc we actually saw this 
on one of our intrusions so it's a real issue.

With debian it's not hard to set these up.  You need to use apt-get to 
grab the source for the gnu tools and a few additional apps like lsof, 
then set a flag somewhere and rebuild the packages.  (sorry, I don't 
remember where the flag is located.)  Unpack into a staging directory 
then burn it to CD.  Just be sure it's your path, not the usual 
/bin:/usr/bin:... .

Ubuntu would be the same, and I'm sure RedHat, Gentoo, etc. are just as 
easy.

Some additional notes:

1) this would also be a good time to write a script that automatically 
does everything else listed.

2) run it immediately (or better yet, periodically), so you know what 
'normal' looks like.

3) you could write the data to a website, not an attached USB drive.  It 
comes down to how much effort it would be to write the code vs. how much 
effort it would be to do it manually.  The latter could be pretty 
significant if you do weekly snapshots of a number of systems.