RE: HELP, my Debian Server was hacked!

To: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>
Cc: debian-security@lists.debian.org
Subject: RE: HELP, my Debian Server was hacked!
From: James Duncan <james.duncan@sheridanc.on.ca>
Date: Wed, 23 Apr 2003 10:44:34 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.53.0304231023240.27575@zeus>
In-reply-to: <[🔎] 435C366F075ED211B12200204840172D058693D1@petitsuix.coe.int>
References: <[🔎] 435C366F075ED211B12200204840172D058693D1@petitsuix.coe.int>

On Wed, 23 Apr 2003, DEFFONTAINES Vincent wrote:

> What to do
> -----------
>
> The first 3 basic steps to handling a "situation" (roughly taken from
> the wonderful Criminalistics, An Introduction to Forensic Science, by
> Saferstein (see the "bibliography" file) are:
>
> 	o	Secure and isolate the scene
> 	o	Record the scene
> 	o	Conduct a systematic search for evidence

Good general guidelines for a static forensic situation... however, some
significant differences exist between a static crime scene and a system
break-in.  The most important of these being, that while a crime scene can
be secured, a computer that has been broken into is immediately suspect
and is quite probably still being used to conduct criminal activities.

> And while speed is of the essence, attempt to stay calm and don't panic.

Of course.  :)

> And do *NOT* touch the keyboard or the computer yet unless you absolutely
> have to.
>
> We repeat.  Do *NOT* touch the keyboard or the computer yet.
>
> Did you hear us?   STAY AWAY FROM THE COMPUTER!  Anything you do will
> destroy evidence, so simply don't touch it for now, or do as little as
> possible and don't start looking for damage yet.

And what is the correct time to start looking for damage??
I have to disagree here.  There are important corporate legal concerns
outside of simply collecting evidence, the most primary of these being
liability. In some jurisdictions, if you are aware that your machine is
under someone else's control, and that machine is currently being used in
the commission of an attack upon a 3rd party machine, that 3rd party might
be able to hold you liable.  IANAL, but be sure to check all the
applicable laws for your jurisdiction to be sure.

Immediate action is ALWAYS required in a case like this.  The moment you
discover a break-in, get down to your datacenter, get on a physical
console, and begin the process of cleaning the mess up.  This should
involve steps like the following:

- tar up /proc and move to another machine
- take an image of all mounted and unmounted filesystems and put on
read-only media (becomes redundant later, but redundancy is good)
- make a quick examination of open sockets - check netstat, run nmap,
etc... but do this quickly.  if you want to spend some time at this,
firewall off the machine and put a packet sniffer in front of it.
- shut down the machine, remove the drives, and mount them in another
machine -o ro for closer examination.

Obviously steps should be in place to mitigate the damage of these sorts
of acts.  Have steps in place to quickly replace machines that have to be
removed from production quickly and without warning.  Use syslog to log
locally AND remotely.  Have a backup of all your logs.  The smart attacker
will have covered their tracks.

> And while you might get lucky and find all the damage and evidence and
> perpetrator immediately, don't get your hopes up too much, this is still
> not an exact science, and almost every case has more than its share of
> disappointments.

Agreed.

Reply to:

Follow-Ups:
- Re: HELP, my Debian Server was hacked!
  - From: Dale Amon <amon@vnl.com>

References:
- RE: HELP, my Debian Server was hacked!
  - From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>

Prev by Date: iptables with no module support?
Next by Date: Re: DSA-288 - a question
Previous by thread: RE: HELP, my Debian Server was hacked!
Next by thread: Re: HELP, my Debian Server was hacked!
Index(es):
- Date
- Thread