I've asked this same question on superuser but I didn't have that much succes. I'd like to learn more about forensic analysis, and I'm doing the challenges from Project Honeynet. I need to check the logfiles and see the IP's that connected remote to a computer. I have a dd image of the harddrive, and the only service that was running was apache. Besides Apache's logs, what other logfiles should I look into, to see who connected to the computer? I'm only interested in remote connections. As for the Linux system, we can consider it generic, with a 2.4 kernel.
Asked
Active
Viewed 417 times
0
Geo
- 157
- 7
-
6Related but side note-you can't trust anything on a system that is broken into. It should be logging everything to a remote system... – Bart Silverstrim Nov 13 '09 at 12:37
2 Answers
0
everything. auth, syslog, messages, .bash_history, last, utmp, wtmp, cron logs, /tmp. thats just a start really because an attacker with root privs can alter anything (and probably did), so you have to find a place that was forgotten.
neoice
- 874
- 4
- 17
0
I agree with neoice and Bart.
Also, maybe check if any file-alteration monitoring tool (or rootkit monitoring tool) was installed (examples include, but aren't limited to: samhain, tripwire, rthunter). samhain/tripwire could give you the list of modified files, and rootkit hunter could show you not only suspected rootkits, but also other problematic areas. Actually, you may even want to run your rootkit hunter in a chroot to that disk image...
