[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [linux-security] Trying to recover erased logs

From: Dave Airlie <david airlie ul ie>
To: Chris Evans <chris ferret lmh ox ac uk>
Cc: linux-security redhat com
Subject: Re: [linux-security] Trying to recover erased logs
Date: Wed, 13 May 1998 14:35:23 +0100 (IST)

Just as an aside on this subject, a system I work on had all files owned
by its web a/c rm-ed recently through a faulty cgi script someone had
uploaded, this removed the web-logs but did not cause apache to crash, so
as long as the single apache httpd process was running we were able to
grab the logs from /proc/<pid>/fd of that process, this caught the
attacking site and any other info we needed ...

Dave.

On Tue, 12 May 1998, Chris Evans wrote:

> 
> Hi,
> 
> I've had several people ask me about a comment I made in a previous post;
> 
> <quote>
> 
> Dan, firstly, if you haven't touched the compromised system much, do a
> "dd" across the raw disk and grep it for log fragments. I have seen vital
> erased logs recovered this way before!
> 
> </quote>
> 
> I shall try and explain a bit more!
> 
> If an attacker erases, or truncates a log, the information in it is lost
> to the filesystem, but might well still be physcially on the disk,
> particularly if the filesystem /var/log is on, isn't too busy.
> 
> So if you act quickly, and /var/log filesystem is quiet, some blocks that
> still contain old valuable log info, might still be on the disk.
> 
> If /var/log is part of (eg.) /dev/hda1, then yuou might try
> 
> dd if=/dev/hda1 | grep "connect from"
> 
> I have seen this command executed on a system compromised through imapd.
> The logs were erased, but the command picked out the ip address of the
> attacker which was recorded by tcp_wrappers when he connected to exploit
> the old imapd vulnerability. That information was still on the physical
> disk.
> 
> Cheers
> Chris
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe: mail -s unsubscribe test-list-request redhat com < /dev/null
> 
> 

------------ David Airlie, David Airlie ul ie,airlied skynet --------
Telecommunications Research Centre, ECE Dept, University of Limerick \
http://www.csn.ul.ie/~airlied	-- Computer Engineering Postgrad      \
--- TEL: +353-61-202695 -----------------------------------------------

References:
- Trying to recover erased logs
  - From: Chris Evans

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]