Security Basics: Re: tools to run on compromised linux box

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-08-07 Murda Mcloud wrote:
> Nikhil's suggestion of booting to another OS to do the investigation
> is an important choice-otherwise you run the risk of further infection
> or destroying potential evidence by writing over files that could be
> recovered.
You'll run that risk one way or the other. If you do forensics on the
live system, the malware may become aware of what you're doing and try
to wipe its trails. If you cut the power you may lose volatile data
(from the RAM). However, if you have Firewire enabled on the machine in
question, you can dump the contents of the RAM before cutting the power.

BTW, never do a "normal" shutdown on an infected machine, as that may
erase evidence, either by the system overwriting/deleting something, or
by the malware doing some "cleanup".

> Another suggestion would be to image the compromised box. Then you can
> take your time. Adepto on the Helix cd is great for this kind of op.
That should always be the first step after powering the machine off.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq