Re: Server hacked - next...?

To: debian isp <debian-isp@lists.debian.org>
Subject: Re: Server hacked - next...?
From: Alex Borges <alex@sogrp.com>
Date: 29 Jun 2003 18:59:00 -0500
Message-id: <[🔎] 1056931140.17570.13.camel@lex.sog.com.mx>
In-reply-to: <[🔎] 05d501c33e0e$2ac03650$0800a8c0@SYSTEM8>
References: <Pine.LNX.4.43.0306290156100.10730-100000@blackhole.quasar.net> <[🔎] 05d501c33e0e$2ac03650$0800a8c0@SYSTEM8>

El dom, 29 de 06 de 2003 a las 02:15, Jason Lim escribió:
> Okay... so supposing the whole system needs to be installed, we can make a
> backup of the home directory now... but after we restore everything, what
> is to stop the hacker immediately re-gaining access again?
> 
> The server is a fully updated "stable" debian system. In fact, it was
> updated just yesterday.
> 
> I'm thinking that even if we do all the trouble of a complete
> re-installation of the entire system, it won't fix this as it will get
> re-hacked again, especailly since we can't see what is going on anymore.
> 
> What do you think? :-(

You have to realize this is a normal step in the life of any sysadmin.
So stop being worried and learn from it.

1.- Save all thats possible to save (homedirs, emails, homepages)

2.- Yeah, hard to believe an updated, all standard packages woody could
be cracked. Its no normal, highschool script kiddie if he pulled that
off (probably a college script kiddie though...;)...). Your box as is
provides very good information, but you have to realize that, if you
didnt take a couple of steps to forsee this, such as having a network
flight recorder somewhere to do forensics on your dead box, its going to
be hard to determine where and how did he got in. 

2-1/2.- Do a list of ANY installed stuff that is not strict debian
woody. I mean, web database administrators, counters, extra perl modules
got from cpan (as oposed from apt-get isntall libperl...etc.). Its more
probable that the first level vulnerability got in there (nevertheless,
if you got hacked by a perl script, then the perl package, apache
package or similar is borked).

3.- So, mirror your killed hard drive so that you can disect it later,
set up the box again with certain limited things, say forbid cgi's and
move to mod-perl and php, forbid ppl from having bash cgi's (since there
is a good chance this is where they got in).

What am i doing? I dunno, there is no checklist that will cover any
site, this is what i would do and im not very experienced. But whatever
you end up with, you should implement postmortem analysis capabilities
to your site (couple of snort/tcpdump boxes and an actual formalization
of your security policies will do).

So policy is the thing here anyhow, work on that. Think of syslog-ng
server, your tcpdump network capture server, snort ID analysys server,
log analyzer for the syslog server. Once cracked all one can do is think
better for the next time.

Reply to:

References:
- Re: Server hacked - next...?
  - From: "Jason Lim" <maillist@jasonlim.com>

Prev by Date: Re: Server hacked - next...?
Next by Date: Woody Stable and Kernel 2.4.21
Previous by thread: Re: Server hacked - next...?
Next by thread: Re: Server hacked - next...?
Index(es):
- Date
- Thread