dean at staff.ca
Wed Jan 29 13:24:10 EST 2003
On 29 Jan 2003 at 11:45, Strosberg, Bill wrote:
> > From: Jon Earle [mailto:je_oclug at kronos.honk.org]
> > Sent: Wednesday, January 29, 2003 11:24 AM
> > To: OCLUG List
> > Subject: [oclug]Help!
> > On Sunday, my box got hit and the t0rn rootkit installed (I
> > know, I know,
> > I'd just moved the box to a new home and had not had time to
> > get firewall
> > rules installed). I figured it was as good a time as any to
>2)Here's an idea that will not solve your current problem, but might
> be fun. Compromised systems can be fun to figure out as a learning and
> teaching exercise. Perhaps you could dd an image of the drive to a
> file, and post it up on the OCLUG server. Then, we could have a
> forensic analysis contest where people could download the image and
> determine the affected files, the original compromise used, and other
> information. Posting the results would be a very informative exercise
> for OCLUG'gers.
> We could specify that only open source tools be used, i.e. TCT etc.
> Was there an external syslog server or an external IDS running? Got
> anything other than a trashed drive?
> If this situation isn't suitable, maybe we could slap together a
> honeypot contest ...
> Idea 1: Which distro gets cracked first? (testing out of the box
> distro default configs) Idea 2: Honeypot 1/4 mile drag race (testing
> for fastest compromise) Idea 3: Snort log analysis to determine
> Maybe this only seems interesting to me, but let's see of others think
> it is a good idea.
> Bill Strosberg
Bill, Only a CISSP could come up with that idea.... I for one love
I'm in the middle of a network security course and just getting into
playing with IDS, forensic analysis and the like. I'd love to be able
to route though a compromised system to see what I can learn.
I also like the idea of a honeypot contest... I for one would like to
see how some of the turnkey linux firewalls stand-up to scrutiny.
Count me in!!
Dean Staff Kanata On. Canada
dean at staff.ca
More information about the OCLUG