How do you guys look at logs and go about fixing them?
(Thread Split from Etiquette thread. I thought this would be a good post on it's own for others to learn from - Dexter...)
Hey can I ask how you guys look at logs and go about fixing them? I'd really like to know.
Hey can I ask how you guys look at logs and go about fixing them? I'd really like to know.
0
Comments
I'll tell you how I do it, though you will need a good install to do it this way.... Essentially, I dig into the file system of a fresh install. See where things go generally, then look more specifically.
Next, I google stuff a LOT, enough different stuff out there that beofre someone tells someone to wipe somehting and it turns out to eb thta person's fav thing, he\she might aughta know what it is part of. Google can help there.
Then I dig into the howtos for the embedded system utils, on the web and in the helps for the system utils.
This gives me a framework of knowledge.
Then, I start looking for exceptions to what I think I know should be, and check up on myself a LOT.
But, funny, keep the learning attitude, the student attitude. Anyone gets high and mighty and says this should never be, someone else will make just exactly that work by some means, so little is universally wrong except for what the junk stuff does. And after a while, you end up looking at what you know should be there, what it should do, and using behavior to sort out what should not be there (IE, you build a heurisitics base in your head if you are a real heavy O\S tech or systems integration tech).
Start with basics, research things that look wrong before you kill kill kill, then backup what you are still not sure of before you disable, then if nothing gets fubarred really kill it. Make your rule to not fubar more than it is now-- let that keep you cautious. Learn what you can from your own box, google most of the rest and keep in mind what you know from doing makes sense while googling to sort out the obvious things that are wrong, or if you have a good copy of same thing, compare what is there versus what is on the other box.
You can call me someone with teacher grade experience, but a student attitude -- except when I have seen same thing over and over and over, then I get a tib stiff-necked because I have banged my head against that wall and finally found a way to dig under it, found out is not so wide I cannot go AROUND it, or discovered I can jump past it and then attack it from the back side.... sometimesd I lose some hair, a few, sometimes skin is kinda read on ncek as I scratched it so its dark pink, but most of it is persistance. Gotta kill the junk and only the junk, basicly is my attitiude.
Old saying "practice makes perfect" works for many general things, details change so fast you gotta have "learn, learn, learn" always part of the beat also, if you can thoroughly dig that. I like this site ebacuse there are enough folks here who each know parts that I can learn as I go, and since the best of them have the same attitude and are willing to give me knowledge back without burning me over nitpicks when I am trying to explain principles, I learn too. Fair trade, IMHO.
Summary, apply what you know, then google it, look for consensus and sites that have folks that are more often right than not, share the knowledge, trust others to pick you up off your flat face for the most part with better infot han you found if you fubar your research. Next, do not be so totally afraid of fubarring things that you do nothing, do the best you can, ask for help, and here the admins have the attitidue of trying to help as much as rule-- probably MORE help than rule, actually, one reason I hang out here.
Most of it is really attitude, be not frozen with fear, but have some native caution. One tirck is to learn how to recover what you fubar, take time to back up what you gotta have first, then mod. learn how to back out of seemingly massive fubars, there are layers and layers of tools for this in most operating systems and the util software folks come up with to help.
Most folks that spread stuff that is junk to many, have the attitude of "let's offer a free lunch, then show them the other part as much later from now as we can...." So, me, I keep the TANSTAFL principle clearly in mind-- There Ain't No Such Thing As Free Lunch, you are gonna get some clouds with the silver lining, and some clouds just plain lie and do not water the grass, they are smoke to hide fires you do not want to have to put out. Smoke normally pollutes SOMETHING, trick is to keep it away from the things you want protected, and that means always being a pro student to keep up. That word\idea picture work for some of you???
Basically what mmonnin and John_D said. When you start to look at enough of them, you see "normal" and "not normal."
When you see an entry you have not seen before, or seems to be masquarading as something normal, you google it. The problem with googling something though is that you often have to weed through a lot of crap, and dozens of HJT logs.
Some things installed by crapware are randomly named, so they are easy to google: "3hjhpowppou875#2@dj.exe" is not likley to have a lot of matches
There are a couple of good online lists of startup apps and process lists, common BHO', etc. Some show only "good" things, so if your item is not on that list, it is likely not "good", and others show god and bad, with explanantions. Some of those are member-driven sites, where the database has been compiled by member contributions. Those have to be taken with a dose of caution: someone who does not know what they are doing can red-flag a legit program, and vice versa, so I like to get 2 sources where possible.
The sites I like are:
http://www.sysinfo.org/startuplist.php?filter=&count=100&type=
http://www.windowsstartup.com/wso/index.php
http://www.kephyr.com/filedb/index.php
http://www.generation.net/~hleboeuf/bhoindex.htm
Then if you still don't know for sure if something is good or not, it's trial and error, but by that point, you should have a pretty good idea. Compare notes with otehr users: the mods of this forum - Mondi, Mr, Kwitko and myself, PM each other often to compare notes ("why do you recommend that file for deletion?"), and exchange research info ("hey, that file is OK after all.")
And the more you do it, the more you learn. When you have looked at a couple hundred logs or more like we have since we started this security forum, you can consider yourself somewhat experienced in the art.
Dexter...
I look at learning this as a challenge and even though I'm 48 years old, I still really enjoy a mental challenge that makes me actually have to think and learn.
Muddocktor, I am gonna kinda diverge to make a very valid point. You know hardware like the back of your hand, you have studied it. I have studied O\S integration issues and looked for ways to take symptoms and learn how to tell when symptom can be so misleading that folks spend lots on the wrong thing-- both in time and money. So, I might go off-topic apparently simply because I think symptom does not equal problem in topic VERy POSSIBLY.
One trick is to learn SOME about software and O\Ss. I am a weirdity, a generalist who has lots of time in hands on, decades of it literally. That in itself is a strength and a weakness. I am also a humanist in the sense of knowing that folks each have different sets of goals when they custom tune a box-- so the fix has to fit the person to be perfect enough for that person to really laud the fix, and for it to be best given that computer user's goals.
I rely a LOT on you, mudd, for hardware info. You are dang good at the hardware area. I am happy you are learning TOO....
But, given software and O\S and user goals and hardware all needing to work together, there is no such thing as IDIC in any one part of those. You are right usually as to better, and that is a compliment. That is why I listen and read your posts.
I could leave this to email, but I wanted to show the balance that needs to be maintained in order for a system to meet a user's goals. What one user finds works best will probably not meet another user's goals as well as another set of specific things-- due to different goals being used to determine how well ssytem works.
We can't all know it all, nowhere close to all can we each know witrhin ourselves, and I respect you for saying honestly where your strengths and weaknesses are. If most of us keep that attitude, the forum will flourish even more than it is now. IF, however, you catch me out, feel free to tell me about your experience with that thing, especially as to hardware and as to XP.
Why the heck is this here, in a security thread??? Simple. Logs show micro-symptoms that can be VERY similar to things which are not problems-- especially in the world of system security. Many combos of things can cause a micro-symptom set to appear. And those things can involve many combos of user and hardware and O\S and application software.
Security is kinda like a cold war. If what I offer to you makes your box do things that let me look at info you need to keep private, I am violating YOUR security. If I am stealing info that you own, that is wrong.
So, how is this kind of thing hidden??? Mostly via Purloined Letter technique, hide in plain sight, but so it looks like something else. Security is a team effort thing, so please speak up with the understanding that you will learn at worst if you are careful in recommendations. Funny thing, what we say by nature tells others what we do not know, and you are a good example of wanting to learn more than dominate. The blackhats reverse this balance in themselves and try to make it so for others also.
Great to hear
Dexter...