Re: An utility or whatever that can monitor/log all the activities in OS of the compromised machine

To: debian-user@lists.debian.org
Subject: Re: An utility or whatever that can monitor/log all the activities in OS of the compromised machine
From: Tzafrir Cohen <tzafrir@cohens.org.il>
Date: Fri, 5 Jun 2009 16:53:24 +0000
Message-id: <[🔎] 20090605165324.GI2496@pear.tzafrir.org.il>
In-reply-to: <[🔎] 4a255d72.14098e0a.438d.ffff86ff@mx.google.com>
References: <[🔎] 4a255d72.14098e0a.438d.ffff86ff@mx.google.com>

On Wed, Jun 03, 2009 at 12:11:32AM +0700, Sthu Deus wrote:
> Good day.
> 
> Is there an utility or whatever that can monitor/log all the activities in OS
> of the compromised machine to investigate the situation?
> 
> And, what is more
> important - could You share Your experience on how to illuminate from whence
> the criminal got its root privileges?

In a manner that root cannot rewrite?

Please state your assumptions here.

(A reliable remote logging server?)

> 
> Is it possible to log net activities through iptables? - I did try LOG target
> but w/ no success.

And you assume root cannot alter those rules?

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
ICQ# 16849754         |                    | friend

Reply to:

Follow-Ups:
- Re: An utility or whatever that can monitor/log all the activities in OS of the compromised machine
  - From: Sthu Deus <sthu.deus@gmail.com>

References:
- An utility or whatever that can monitor/log all the activities in OS of the compromised machine
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: network Q.: host name gets ".local" added after sometime
Next by Date: changing to UTF-8
Previous by thread: Re: An utility or whatever that can monitor/log all the activities in OS of the compromised machine
Next by thread: Re: An utility or whatever that can monitor/log all the activities in OS of the compromised machine
Index(es):
- Date
- Thread