![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 12 May 1998 17:32:00 +0100 (BST) From: Chris Evans <chris@ferret.lmh.ox.ac.uk> To: linux-security@redhat.com Subject: [linux-security] Trying to recover erased logs Hi, I've had several people ask me about a comment I made in a previous post; <quote> Dan, firstly, if you haven't touched the compromised system much, do a "dd" across the raw disk and grep it for log fragments. I have seen vital erased logs recovered this way before! </quote> I shall try and explain a bit more! If an attacker erases, or truncates a log, the information in it is lost to the filesystem, but might well still be physcially on the disk, particularly if the filesystem /var/log is on, isn't too busy. So if you act quickly, and /var/log filesystem is quiet, some blocks that still contain old valuable log info, might still be on the disk. If /var/log is part of (eg.) /dev/hda1, then yuou might try dd if=/dev/hda1 | grep "connect from" I have seen this command executed on a system compromised through imapd. The logs were erased, but the command picked out the ip address of the attacker which was recorded by tcp_wrappers when he connected to exploit the old imapd vulnerability. That information was still on the physical disk. Cheers Chris -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null