[ale] remote investigation
Jonathan Rickman
jonathan at xcorps.net
Tue Sep 2 10:04:03 EDT 2003
On Tuesday 02 September 2003 08:37, John Wells wrote:
> Thanks for humoring the grasping at straws. I'm frustrated, and clear
> thought is not currently an option... ;-)
If the machine has a fair amount of memory and does not rely heavily on
swap, it would be a good idea to swapoff and unmount the swap partition.
This will give you a reasonable indication of whether the heavy load is
disk or memory bound, and preserve evidence in the event that there was a
compromise. If the machine falls on its face, my gut tells me that there is
something going on in memory land. If it remains the same, I'd look towards
disk problems and/or system compromise. If it gets better, I'd find a new
line of work...because I really wouldn't know what was going on then! I
really think you're going to have to get at a physical console to really
get in depth though, because once you rule out hardware you need physical
access to run trusted binaries.
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list