Hans-Christian Andersen
hans.andersen at phulse.com
Tue Jan 29 05:16:12 CST 2013
If you want to trace the IP, just install wireshark and watch the tcp packets flow. :) But, yes, if you want to see what these guys are trying to exploit, then a VM (or separate machine altogether) would be the way to go. I don't know if they are getting any smarter though, because they could easily tell quickly if they are running within a VM if they knew where to look (system hardware, for instance). Regarding doing a filesystem comparison, you could just mount the VM image as a loopback device and the system will treat it like if it was a hard drive (well, in linux / unix / mac systems anyways. with windows, as always, good luck and have your credit card handy just in case). Then, mounted as a hard drive, you can run any file system tool for comparison (bear in mind, this could be tricky, since windows touches a lot of files on the fly, so it might be hard to determine which files are relevant or not). With virtualbox, for instance: http://bethesignal.org/blog/2011/01/05/how-to-mount-virtualbox-vdi-image/ - Hans On 2013-01-29, at 2:54 AM, Arthur Fuller <fuller.artful at gmail.com> wrote: > Well, it seems that we have achieved consensus world-wide (gotta love this > internet thing!). I'm now wondering whether there's a way to accept the > call, long enough to trace it (of course the caller might be anonymizing), > from within a sandbox such as a VM, so that if anything is secretly > installed, it's only within that VM, which could then be inspected in > detail, without placing the host at risk. Which begs the question, Is there > a "sysdiff" utility that could inspect two otherwise identical VMs, one of > which accepted the call? > > A. > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com