Re: Server hacked - next...?
El dom, 29 de 06 de 2003 a las 02:15, Jason Lim escribió:
> Okay... so supposing the whole system needs to be installed, we can make a
> backup of the home directory now... but after we restore everything, what
> is to stop the hacker immediately re-gaining access again?
> The server is a fully updated "stable" debian system. In fact, it was
> updated just yesterday.
> I'm thinking that even if we do all the trouble of a complete
> re-installation of the entire system, it won't fix this as it will get
> re-hacked again, especailly since we can't see what is going on anymore.
> What do you think? :-(
You have to realize this is a normal step in the life of any sysadmin.
So stop being worried and learn from it.
1.- Save all thats possible to save (homedirs, emails, homepages)
2.- Yeah, hard to believe an updated, all standard packages woody could
be cracked. Its no normal, highschool script kiddie if he pulled that
off (probably a college script kiddie though...;)...). Your box as is
provides very good information, but you have to realize that, if you
didnt take a couple of steps to forsee this, such as having a network
flight recorder somewhere to do forensics on your dead box, its going to
be hard to determine where and how did he got in.
2-1/2.- Do a list of ANY installed stuff that is not strict debian
woody. I mean, web database administrators, counters, extra perl modules
got from cpan (as oposed from apt-get isntall libperl...etc.). Its more
probable that the first level vulnerability got in there (nevertheless,
if you got hacked by a perl script, then the perl package, apache
package or similar is borked).
3.- So, mirror your killed hard drive so that you can disect it later,
set up the box again with certain limited things, say forbid cgi's and
move to mod-perl and php, forbid ppl from having bash cgi's (since there
is a good chance this is where they got in).
What am i doing? I dunno, there is no checklist that will cover any
site, this is what i would do and im not very experienced. But whatever
you end up with, you should implement postmortem analysis capabilities
to your site (couple of snort/tcpdump boxes and an actual formalization
of your security policies will do).
So policy is the thing here anyhow, work on that. Think of syslog-ng
server, your tcpdump network capture server, snort ID analysys server,
log analyzer for the syslog server. Once cracked all one can do is think
better for the next time.