Trying to recover erased logs

[Chris Evans <chris ferret lmh ox ac uk>]

Hi,

I've had several people ask me about a comment I made in a previous post;

<quote>

Dan, firstly, if you haven't touched the compromised system much, do a
"dd" across the raw disk and grep it for log fragments. I have seen vital
erased logs recovered this way before!

</quote>

I shall try and explain a bit more!

If an attacker erases, or truncates a log, the information in it is lost
to the filesystem, but might well still be physcially on the disk,
particularly if the filesystem /var/log is on, isn't too busy.

So if you act quickly, and /var/log filesystem is quiet, some blocks that
still contain old valuable log info, might still be on the disk.

If /var/log is part of (eg.) /dev/hda1, then yuou might try

dd if=/dev/hda1 | grep "connect from"

I have seen this command executed on a system compromised through imapd.
The logs were erased, but the command picked out the ip address of the
attacker which was recorded by tcp_wrappers when he connected to exploit
the old imapd vulnerability. That information was still on the physical
disk.

Cheers
Chris