[oclug]Help!

Dean Staff dean at staff.ca
Wed Jan 29 13:24:10 EST 2003 

On 29 Jan 2003 at 11:45, Strosberg, Bill wrote:

> > From: Jon Earle [mailto:je_oclug at kronos.honk.org]
> > Sent: Wednesday, January 29, 2003 11:24 AM
> > To: OCLUG List
> > Subject: [oclug]Help!
> > 
> > 
> > On Sunday, my box got hit and the t0rn rootkit installed (I 
> > know, I know,
> > I'd just moved the box to a new home and had not had time to 
> > get firewall
> > rules installed).   I figured it was as good a time as any to 
> 
> Jon:
> 
<snip>

>2)Here's an idea that will not solve your current problem, but might
> be fun. Compromised systems can be fun to figure out as a learning and
> teaching exercise.  Perhaps you could dd an image of the drive to a
> file, and post it up on the OCLUG server.  Then, we could have a
> forensic analysis contest where people could download the image and
> determine the affected files, the original compromise used, and other
> information.  Posting the results would be a very informative exercise
> for OCLUG'gers.
> 
> We could specify that only open source tools be used, i.e. TCT etc.
> 
> Was there an external syslog server or an external IDS running?  Got
> anything other than a trashed drive?
> 
> If this situation isn't suitable, maybe we could slap together a
> honeypot contest ...
> 
> Idea 1:	Which distro gets cracked first? (testing out of the box
> distro default configs) Idea 2:	Honeypot 1/4 mile drag race (testing
> for fastest compromise) Idea 3:	Snort log analysis to determine
> compromises
> 
> Maybe this only seems interesting to me, but let's see of others think
> it is a good idea.
> 
> --
> Bill Strosberg
>

Bill, Only a CISSP could come up with that idea.... I for one love 
the idea!!!!
I'm in the middle of a network security course and just getting into 
playing with IDS, forensic analysis and the like. I'd love to be able 
to route though a compromised system to see what I can learn.

I also like the idea of a honeypot contest... I for one would like to 
see how some of the turnkey linux firewalls stand-up to scrutiny.

Count me in!!
Dean~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dean Staff  Kanata On. Canada
dean at staff.ca 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the OCLUG mailing list