Commit afed4406 authored by Heiko Reese's avatar Heiko Reese

parent a3102503
......@@ -20,7 +20,7 @@ Merely looking at the file (`cat /etc/mtab`) changes the access time of `/etc`.
You may push your findings directly onto the network, thus preventing/minimizing
changes to the local filesystems. This only works if the compromized machine is
still able to connect to your server.
still able to make outgoing connections to the destination server .
Open a listener on your server:
......@@ -55,6 +55,10 @@ Use `dd` to transfer whole blockdevices:
dd if=/dev/sdx23 | nc…
Using [fuse sshfs]( is discouraged for
two reasons. First, it touches lots of files ($HOME/.ssh/*, /etc). And more
importantly: attackers often change the ssh binaries to intercept passwords.
### Collecting data on local storage
If you decide to collect your findings locally, please refrain from using
......@@ -228,6 +232,36 @@ Stop the process:
kill -STOP ${PID}
TODO: Add cgroups-freezer-variant and discuss it (freezer blocks gdb/gcore).
Preserve original location of executable (plus a broken symlink of file was deleted) and the contents:
ls -l /proc/${PID}/ > proc_${PID}_ls_l.txt
cat /proc/${PID}/exe > proc_${PID}_exe
Create a coredump to preserve the process memory:
gdb -nh -batch -ex gcore -p ${PID}
We have not found a way to dump the cores directly into an unnamed pipe and out
into the net. There's a workaround using a named pipe, but you have to find
a good place to put it. We recommend using a tmpfs (either existing or create
a new one for this). As a bonus, this enables us to compress the coredump using
whatever compression software we have available:
# change path accordingly
mkfifo ${MYFIFO}
# either run this command in the background (append &) or in another shell
cat ${MYFIFO} | [gzip|bzip2|xz|lzop] -c > core.${PID}
gdb -nh -batch -ex "gcore ${MYFIFO}" -p ${PID}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment