Hello and welcome to the Wednesday, March 27th, 2004 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Orich, and I'm recording from Jacksonville, Florida.

We got another great diary from Jim about yet another tool that he created Linux packages.sh.

This is meant for forensics in Linux.

It's typically pretty straightforward, depending on the distribution you're using, to figure

out what packages were installed on this system.

Well, not so easy if you mounted a file system that you acquired from

another system like for forensics analysis to figure out what packages were exactly installed

on that particular system. There are, again, according to the distribution, a number of different

locations where databases are being kept of installed packages.

Well, what Jim's script does is it scours all of these different locations, figures out what packages are installed, and then simply lists them.

Pretty easy to use tool and pretty useful to, for example, figure out,

well, was the system updated or is there any odd malicious package being installed,

maybe any odd system service or so that was installed that may have contributed to the

compromise of that system. No need for the analyst to spend a lot of time figuring out what distribution was installed and where the database has been kept.

Just run the script and it does all that boring work for you.

And then there was an interesting sort of follow-up blog post.

Remember, it talked about the loop denial of service condition that

apparently a number of UDP applications suffer from where an error is being responded to

with an error message. There's now an interesting blog post from Damien Mger with the Google Security Reliability team.

And this blog post goes over some of these issues with Quick and how they were resolved in Quick.

There were a couple cases where Quick also suffered from some of these loop issues.

...