Re: i am hacked atm.. what's better thing to do?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
> A lot depends on whether you want to watch/trace/prosecute/learn
> from/annoy him, or if you just want him off your system.
>
> What I would do (since I like to do learn from the intrusions), is to
> follow him around for a while. At minimum, find out what IP address he
> is coming from and how he got into your machine.
The source IP number isn't necessarily helpful - he could be coming from
one of those places offering free shell access.
And definitely follow the guy (if the attacker is a guy :) around - it
won't help you to re-install and not know how they got in the first time
around.
> A simple packet sniffer for Debian can be obtained through `apt-get
> install sniffit`, and then run `sniffit -I`. This will at least tell
> you the open connections to your machine and the IP addresses. If you
> want to see what he's doing, run a packet sniffer (tcpdump, though
> sniffit can probably do it as well) to sniff packets to/from his IP.
Hint: tcpdump -w <filename> -i eth0 host <hostname> is really usefull.
Especially if the attacker is stupid enough to do their work through
telnet.
> The syslog is probably the best place to find how he got into your
> system. But it might have been tampered with. If you think it's a
> fairly recent attack, look around your directories a bit with an `ls
> -lart` to show all recently-changed entries. Script kiddie tools are
> easily found this way, though better hackers can hide their tracks.
Especially since they can just do a "rm -rf /var/log" - yes I've seen that
happen.
> Finally, don't trust the output of ps (it may be one that hides their
> tracks), login could have been replaced to have a backdoor and log your
> passwords, etc.
Definitely. Note that an "unusual" ps output can tip you off to their
presence.
Witness this output from a compromised RH6.2 system I claned up:
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
nobody 515 0.0 0.2 1888 140 ? S Oct 11 0:00 proftpd (accepting co
nobody 3621 0.0 3.4 6720 2204 ? S Oct 15 0:00 httpd
nobody 3622 0.0 3.3 6708 2116 ? S Oct 15 0:00 httpd
nobody 3623 0.0 3.3 6708 2112 ? S Oct 15 0:00 httpd
nobody 3624 0.0 3.5 6720 2240 ? S Oct 15 0:00 httpd
nobody 3625 0.0 3.4 6720 2200 ? S Oct 15 0:00 httpd
nobody 3626 0.0 3.3 6708 2132 ? S Oct 15 0:00 httpd
nobody 3627 0.0 2.4 6708 1528 ? S Oct 15 0:00 httpd
nobody 3628 0.0 2.6 6720 1688 ? S Oct 15 0:00 httpd
root 1 0.0 0.1 1120 124 ? S Oct 11 0:07 init
root 3 0.0 0.0 0 0 ? SW Oct 11 0:01 (kupdate)
root 4 0.0 0.0 0 0 ? SW Oct 11 0:00 (kpiod)
root 6 0.0 0.0 0 0 ? SW<Oct 11 0:00 (mdrecoveryd)
root 386 0.0 0.2 1420 172 ? S Oct 11 0:00 klogd
root 400 0.0 0.2 1328 132 ? S Oct 11 0:00 crond
root 414 0.0 0.6 1168 404 ? S Oct 11 0:00 inetd
root 484 0.0 0.1 1144 72 S0 S Oct 11 0:00 gpm -t ms
root 498 0.0 1.0 6576 684 ? S Oct 11 0:03 httpd
root 589 0.0 0.0 900 16 ? S Oct 11 0:00 papd
root 640 0.0 0.0 1092 0 2 SW Oct 11 0:00 (mingetty)
root 641 0.0 0.0 1092 0 3 SW Oct 11 0:00 (mingetty)
root 643 0.0 0.0 1092 0 5 SW Oct 11 0:00 (mingetty)
root 644 0.0 0.0 1092 0 6 SW Oct 11 0:00 (mingetty)
root 672 0.0 1.1 2192 736 ? S Oct 11 1:12 nmbd
root 699 0.0 0.5 2660 320 ? S Oct 11 0:00 xdm
root 23287 0.0 8.8 13036 5580 ? S N 18:14 0:15 ./quake2 +set dedicat
root 23290 0.0 0.6 1092 404 4 S 18:14 0:00 /sbin/mingetty tty4
root 23551 0.0 0.6 1092 404 1 S 18:37 0:00 /sbin/mingetty tty1
root 24012 0.0 0.7 924 464 ? S 01:06 0:00 in.telnetd
root 24752 0.0 0.7 924 468 ? S 01:19 0:00 in.telnetd
Note the absence of various programs, especially bash shells associated
with the telnet processes, or even my own login shell (I was logged in as
'pbrutsch') :)
> You might run nmap against your own machine to check if any additional
> ports were enabled.
Additional ports aren't always opened. Although if you catch them at the
right time you might find their remote root shell before they cose it...
> Once figure out how your machine was compromised (watching other
> machines get attacked from your own may give a clue here) then check the
> IP he's coming from and see if it was compromised in the same way. If
> so, notify the owner. If not, then this is the hacker's home box and
> you should contact his ISP (or the authorities).
That's not always a possibility. I've seen stolen PPP accounts used; I've
also seen attackers come from a site offering free shell access, without
enough information on how to track down their user ID.
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6B3RD/ZTSZFDeHPwRAl1YAKCbUkilEAorHGxfG2eVip4Pr/uq2gCdFdlu
z3zWabX121Ib1OZN4DQV4qI=
=n2NE
-----END PGP SIGNATURE-----
Reply to: