linux security - May 1998 - Trying to recover erased logs

Hi,

I''ve had several people ask me about a comment I made in a previous
post;

<quote>

Dan, firstly, if you haven''t touched the compromised system much, do a
"dd" across the raw disk and grep it for log fragments. I have seen
vital
erased logs recovered this way before!

</quote>

I shall try and explain a bit more!

If an attacker erases, or truncates a log, the information in it is lost
to the filesystem, but might well still be physcially on the disk,
particularly if the filesystem /var/log is on, isn''t too busy.

So if you act quickly, and /var/log filesystem is quiet, some blocks that
still contain old valuable log info, might still be on the disk.

If /var/log is part of (eg.) /dev/hda1, then yuou might try

dd if=/dev/hda1 | grep "connect from"

I have seen this command executed on a system compromised through imapd.
The logs were erased, but the command picked out the ip address of the
attacker which was recorded by tcp_wrappers when he connected to exploit
the old imapd vulnerability. That information was still on the physical
disk.

Cheers
Chris

Just as an aside on this subject, a system I work on had all files owned
by its web a/c rm-ed recently through a faulty cgi script someone had
uploaded, this removed the web-logs but did not cause apache to crash, so
as long as the single apache httpd process was running we were able to
grab the logs from /proc/<pid>/fd of that process, this caught the
attacking site and any other info we needed ...

Dave.

On Tue, 12 May 1998, Chris Evans wrote:
> 
> Hi,
> 
> I''ve had several people ask me about a comment I made in a
previous post;
> 
> <quote>
> 
> Dan, firstly, if you haven''t touched the compromised system much,
do a
> "dd" across the raw disk and grep it for log fragments. I have
seen vital
> erased logs recovered this way before!
> 
> </quote>
> 
> I shall try and explain a bit more!
> 
> If an attacker erases, or truncates a log, the information in it is lost
> to the filesystem, but might well still be physcially on the disk,
> particularly if the filesystem /var/log is on, isn''t too busy.
> 
> So if you act quickly, and /var/log filesystem is quiet, some blocks that
> still contain old valuable log info, might still be on the disk.
> 
> If /var/log is part of (eg.) /dev/hda1, then yuou might try
> 
> dd if=/dev/hda1 | grep "connect from"
> 
> I have seen this command executed on a system compromised through imapd.
> The logs were erased, but the command picked out the ip address of the
> attacker which was recorded by tcp_wrappers when he connected to exploit
> the old imapd vulnerability. That information was still on the physical
> disk.
> 
> Cheers
> Chris
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe: mail -s unsubscribe test-list-request@redhat.com <
/dev/null
> 
> 
------------ David Airlie, David.Airlie@ul.ie,airlied@skynet --------
Telecommunications Research Centre, ECE Dept, University of Limerick \
http://www.csn.ul.ie/~airlied	-- Computer Engineering Postgrad      \
--- TEL: +353-61-202695 -----------------------------------------------