Re: [Full-disclosure] Linux - Indicators of compromise

[Benji <me@xxxxxxxxx>]

" All compromised systems talk to the Internet to dump data or route spam."

yup, this is 1000% true and utterly foolproof.


On Mon, Jul 16, 2012 at 2:48 PM, Gary Baribault <gary@xxxxxxxxxxxxx> wrote:
> I suggest one of the first answers was the good one, intercept the traffic
> routed to the internet with TCPDump. Filter out the normal traffic and see
> what's left. All compromised systems talk to the Internet to dump data or
> route spam. Be patient, some systems talk all the time, some once an hour ..
> but you will find some unexplained traffic. Once you do find that you're
> infected, don't bother cleaning up the system, format and restore the data!
>
> Gary Baribault
> Courriel: gary@xxxxxxxxxxxxx
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> On 07/16/2012 09:40 AM, valdis.kletnieks@xxxxxx wrote:
>
> On Sat, 14 Jul 2012 12:46:50 -0000, "Ali Varshovi " said:
>
> Most of the materials I've seen are more aligned to malware and rootkit
> detection which is not the only concern apparently.
>
> It's hard to say what else to check without knowing what other concerns
> you're checking for, and what data sources are available (I'm thinking about
> auditd and friends, but there's other data sources as well).
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/