Security Portal: Ask Buffy - Mysterious Files In Linux /tmp Directory and Log Analyzer for FirewallMar 08, 2001, 06:29 (0 Talkback[s])
(Other stories by Buffy)
"I found on one of our machines (Linux) in the /tmp directory a folder called "kokainkit" with the following files/directories (someone obviously forgot to delete them...)"
"All I could find on the Web tells me this is a Trojan (knark installs a hidden module), but what should I do now? I disconnected the machine from the network. Is there a way to unhide the hidden files? How did the attacker get in? (The machine was behind a screening firewall.) Are there security professionals who would be interested in the code to analyze?..."
"I'm looking for a tool that would allow me to read firewall logs for investigation purposes (i.e., user John was connected to www.ishouldn'tbehere.com, time and date and so on). I tried WebTrends' log analyzer and firewall, but they do not provide the reporting that I'm looking for. Do you have any other suggestions?..."