Re: BIND exploited ?

To: Andy Bastien <lists@yuggoth.net>, debian-isp@lists.debian.org
Subject: Re: BIND exploited ?
From: Russell Coker <russell@coker.com.au>
Date: Sat, 5 Jan 2002 03:47:22 +0100
Message-id: <[🔎] 20020105024724.A29DBD9B@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20020104184316.GD26204@yuggoth.net>
References: <[🔎] 20020104021646.GA24501@annapolislinux.org> <[🔎] 20020104181134.446893657A3@lyta.coker.com.au> <[🔎] 20020104184316.GD26204@yuggoth.net>

On Fri, 4 Jan 2002 19:43, Andy Bastien wrote:
> > > Is it really necessary to buy new hard drives?  Is there a reason why
> > > he can't just reformat his current drives before reinstalling?
> >
> > Sure he can, if he wants to lose the evidence of what happened and lose
> > the possibility to hand the drives over to law enforcement officials
> > (which may be demanded of him even if he doesn't want it in the case that
> > his machine was used to attack others).
>
> Good point!  Having never dealt with the fuzz after being compromised,

Firstly please note that I don't have much first-hand experience with dealing 
with the police on such issues.  The times when police issues have come up 
I've been too busy and let other people handle it - those people didn't 
disturb me so I never bothered finding out exactly what happened...

Even if I did have detailed experience of such things it probably wouldn't 
apply in your jurisdiction - and the law is constantly changing anyway.

> I have to ask what you would do if your server is a file server with
> lots of big, expensive drives where a company might not be able to
> afford replacing them all?  Would they be happy with backups (keeping
> in mind that any tools used to backup the server might no longer be
> trustworthy)?  How about disk images (made with dd, or something
> similar) of the drives that contain the system stuff?

OK.  When I described replacing all hard drives I was referring to system 
disks with the OS and applications not data files.  Keeping a backup of your 
news spool probably doesn't gain you much.  Just use find on the data disks 
(the copy of find on the freshly installed un-cracked system on new system 
disks) to search for suspicious files (SUID, SGID, and executables where you 
least expect them).  Also search for files and directories starting in '.' in 
locations where you don't expect them.  Another thing to check for is the 
most recently changed files.  On a web server the content may not have 
changed for a month, any files changed in the last week would be by the 
intruder...

After copying and removing all suspicious files (make sure you use tar or 
cpio not cp so that permissions and time stamps are preserved) then the data 
disks will be ready for service again.

Make sure that boot sectors are wiped as well (on a Debian installation use 
install-mbr on every disk that has a partition table).

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to:

Follow-Ups:
- Re: BIND exploited ?
  - From: "Jason Lim" <maillist@jasonlim.com>

References:
- BIND exploited ?
  - From: Thedore Knab <tjk@annapolislinux.org>
- Re: BIND exploited ?
  - From: Russell Coker <russell@coker.com.au>
- Re: BIND exploited ?
  - From: Andy Bastien <lists@yuggoth.net>

Prev by Date: Re: BIND exploited ? -UPDATE
Next by Date: Re: BIND exploited ?
Previous by thread: Re: BIND exploited ? -UPDATE
Next by thread: Re: BIND exploited ?
Index(es):
- Date
- Thread