[WBEL-users] ROOTKIT checking software

[Pete Stevens]

On Thu, 11 Nov 2004, Denis Croombs wrote:

> I have found some of my customers systems have had the root password changed
> remotely by an ex-employee, I know I can go do a rescue CD boot and change
> the root password to something I know BUT I have a few questions.
>
> 1) What files record when root last loged in and from what IP address ?
> 2) What file record any other activity by the same person ?
> 3) What log files should be kept for handing over to the police ?
> (we have informed them and they are sending someone tomorrow)
>
> 4) What else should I be doing ?

I went on the SANS network security auditing course. The hard part about
involving the police is managing custody of the evidence, if you hope to
prosecute I'd strongly suggest talking to a solictor - the information they
gave me was some time ago and complicated about how you prove that the
evidence is admissable in court.

Secondly, expect them to cart off the original disks and possibly the whole
machine and that it might not be returned for a very long time.

You'll then need a expert witness to do the dissection who can stand up in
court and say 'I believe that person X made the modifications'.

I'd recommend the SANS network team here - they run honey pots and are well
practiced and respected for their ability to dissect hacked machine and figure
out what happened to them.


Hope this helps,

Yours,

Pete Stevens

--
Pete Stevens
pete@ex-parrot.com
Virtual WBEL servers - http://www.mythic-beasts.com

    Life isn't measured by the amount of breaths you take, but by the number of
                                            moments that take your breath away.
                                                        -- seen on the internet