[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: BIND exploited ?



> > I have to ask what you would do if your server is a file server with
> > lots of big, expensive drives where a company might not be able to
> > afford replacing them all?  Would they be happy with backups (keeping
> > in mind that any tools used to backup the server might no longer be
> > trustworthy)?  How about disk images (made with dd, or something
> > similar) of the drives that contain the system stuff?
>
> OK.  When I described replacing all hard drives I was referring to
system
> disks with the OS and applications not data files.  Keeping a backup of
your
> news spool probably doesn't gain you much.  Just use find on the data
disks
> (the copy of find on the freshly installed un-cracked system on new
system
> disks) to search for suspicious files (SUID, SGID, and executables where
you
> least expect them).  Also search for files and directories starting in
'.' in
> locations where you don't expect them.  Another thing to check for is
the
> most recently changed files.  On a web server the content may not have
> changed for a month, any files changed in the last week would be by the
> intruder...
>
> After copying and removing all suspicious files (make sure you use tar
or
> cpio not cp so that permissions and time stamps are preserved) then the
data
> disks will be ready for service again.
>
> Make sure that boot sectors are wiped as well (on a Debian installation
use
> install-mbr on every disk that has a partition table).

>From my experience, police like data untampered and in exactly the same
form and such when the intrusion occurred. That means the exact same
disks, not a tape backup or something. Sometimes backups can miss stuff,
or as mentione previously, the backup software itself could have been
rooted. Actually, it would be best to make a duplicate of the disk, USE
THE DUPLICATE, and give the police the original. If possible, just yank
the power out of the box... the reason being that if you use 'reboot' or
'shutdown' or others, they usually run though the shutdown scripts, and
within the shutdown scripts the kiddies could've planted something there
as well. You never know. By yanking the power, no software can
write/modify the disks, and they are "preserved", more or less.

Sincerely,
Jason




Reply to: