ADMIN - Explore the new world of system administration! ADMIN is a smart, technical magazine for IT pros on heterogeneous networks. Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better:
network security
system management
troubleshooting
performance tuning
virtualization
cloud computing
on Windows, Linux, Solaris, and popular varieties of Unix.
When attackers strike your system, you need to determine exactly what damage has been done. Here are some tools to help.
Typically, when the term “data rescue” is mentioned, failed RAID arrays, accidentally deleted files, and corrupted backups come to mind. But, what happens when a break-in occurs and you need to find out how the attacker got in and how much damage has been done?
If you’re lucky (relatively speaking), the attacker will make changes to the filesystem. For example, in the recent kernel.org security breach, the OpenSSH binaries were replaced with ones that would log usernames, passwords, and keys, allowing the attacker to access additional systems. In theory, tools like AIDE or Tripwire should catch these modifications, but in practice this doesn’t always work.
Comments