Incident Response Script - Security

This is a discussion on Incident Response Script - Security ; When I turn up at a compromised system, there is always pressure (usually from the network guys) to pull the plug immediately. I'd like to get a picture of the system (netstat, ps, who, lsof ...) quickly. Could you recommend ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Incident Response Script

  1. Incident Response Script

    When I turn up at a compromised system, there is always pressure
    (usually from the network guys) to pull the plug immediately.

    I'd like to get a picture of the system (netstat, ps, who, lsof ...)
    quickly. Could you recommend a suitable script that can be used as a
    start to tailoring it for myself?

    Thanks,
    Svejk


  2. Re: Incident Response Script

    On Mon, 17 Dec 2007 15:19:29 +0000, Svejk wrote:
    > When I turn up at a compromised system, there is always pressure
    > (usually from the network guys) to pull the plug immediately.


    All you need is to pull the network plug. Pull the power plug later.

    > I'd like to get a picture of the system (netstat, ps, who, lsof ...)
    > quickly. Could you recommend a suitable script that can be used as a
    > start to tailoring it for myself?


    Hehehe,

    cmd1 args > /somewhere/cmd1.rpt
    cmd2 args > /somewhere/cmd2.rpt

  3. Re: Incident Response Script

    On 2007-12-17 16:50:30 +0000, Bit Twister said:

    > On Mon, 17 Dec 2007 15:19:29 +0000, Svejk wrote:
    >> When I turn up at a compromised system, there is always pressure
    >> (usually from the network guys) to pull the plug immediately.

    >
    > All you need is to pull the network plug. Pull the power plug later.


    I'd rather even do it before that.

    >
    >> I'd like to get a picture of the system (netstat, ps, who, lsof ...)
    >> quickly. Could you recommend a suitable script that can be used as a
    >> start to tailoring it for myself?

    >
    > Hehehe,
    >
    > cmd1 args > /somewhere/cmd1.rpt
    > cmd2 args > /somewhere/cmd2.rpt
    > .
    > .
    > .
    > cmdx args > /somewhere/cmdx.rpt


    Yes, and assuming cmd1..cmdx can be trusted. etc.

    And the odds are one command's syntax on one system won't work on
    another etc - it's potentially a lot of work. Just wondered whether
    anyone had already got one they could share.



  4. Re: Incident Response Script

    On Mon, 17 Dec 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <2007121721083550073-thegoodsoldiersvejkREMOVE@gmailcom>, Svejk wrote:

    >Bit Twister said:


    >>Svejk wrote:


    >>> When I turn up at a compromised system, there is always pressure
    >>> (usually from the network guys) to pull the plug immediately.

    >>
    >> All you need is to pull the network plug. Pull the power plug later.

    >
    >I'd rather even do it before that.


    There is no single answer. For example, the system _could_ be running
    a watch-dog type of program that "checks the mail" (sees if the network
    is alive and well - _POSSIBLY_ by sending a packet of _some_ kind to a
    remote host just to see that the connection is there, and if not, that
    application hits the big Red Button). The only acceptable action would
    be to kill power so that the poison pill doesn't have time to react.
    At the other extreme, the malware could be memory resident ONLY, and
    yanking power will destroy any evidence. Damned if you do, damned if
    you don't. So, what it _your_ threat model? What are you expecting?

    >>> I'd like to get a picture of the system (netstat, ps, who, lsof ...)
    >>> quickly. Could you recommend a suitable script that can be used as a
    >>> start to tailoring it for myself?

    >>
    >> Hehehe,


    No, I can see where he's coming from, and it's not quite that simple.

    >> cmd1 args > /somewhere/cmd1.rpt
    >> cmd2 args > /somewhere/cmd2.rpt
    >> .
    >> .
    >> .
    >> cmdx args > /somewhere/cmdx.rpt

    >
    >Yes, and assuming cmd1..cmdx can be trusted. etc.


    Big ball of tar, and no easy way out of it. Your best bet might be to
    have a Read/Write media that you can trivially mount (problem - there
    may be a poison pill running that detects a root OR EQUIVALENT login,
    or su/sudo action and bang goes the ball game) that contains the needed
    commands, but even that may not work in the presence of a co-opted kernel.
    The best solution may still be yanking the power, moving the disk[s] to a
    trusted box, and mounting them R/O.

    >And the odds are one command's syntax on one system won't work on
    >another etc - it's potentially a lot of work. Just wondered whether
    >anyone had already got one they could share.


    How many types of systems are you working with? I see your headers
    imply OSX 10.3.9, and you're posting to a Linux newsgroup, so you
    would PROBABLY want to have O/S specific scripts. It's bad enough
    within an operating system like Linux, where there are multiple
    distributions (each knowing the "right" way to do things, unlike
    those "other" guys). This not only implies a different set of
    options to some commands (I support BSD and SysV systems, and run
    into this problem constantly), but you MAY also run into stuff
    being located in different directories and needing different tools
    to access information. I'm ignoring the whizzy GUI crap that is
    usually not only distribution specific, but may even vary from
    release to release. You must work at the command line level.

    A bit dated, but you might want to search for something called "The
    Coroner's Toolkit" from Dan Farmer & Wietse Venema. I'm sure those
    names may ring a bell.

    The Coroner's Toolkit (TCT) - a Brief Introduction

    TCT is a collection of tools - some large, some small, some in perl,
    some in C - that are all either oriented towards gathering or analyzing
    forensic data on a Unix system.

    Web Results 1 - 10 of about 9,090 for "The Coroner's Toolkit". (0.19
    seconds)

    First hit is 'www.porcupine.org/forensics/tct.html'. The tct-1.18.tar.gz
    is about 318k. That may give you food for thought.

    Old guy

  5. Re: Incident Response Script

    On Dec 17, 1:19 pm, Svejk wrote:
    > When I turn up at a compromised system, there is always pressure
    > (usually from the network guys) to pull the plug immediately.
    >
    > I'd like to get a picture of the system (netstat, ps, who, lsof ...)
    > quickly. Could you recommend a suitable script that can be used as a
    > start to tailoring it for myself?
    >
    > Thanks,
    > Svejk


    Hi, I am a honeypot's administrator.
    If you think you have total control of the situation, try to use some
    forensic linux distributions. There's a lot of them and most of it are
    live cd's.

    I don't recommend playing with a compromised machine in a production
    environment. I am talking about leaving the machine connected and all
    this crap. You may disconnect it and have a lot of information about
    the incident, like filesystem, process, memory, etc..

+ Reply to Thread