[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

El dom, 29 de 06 de 2003 a las 02:15, Jason Lim escribió:
> Okay... so supposing the whole system needs to be installed, we can make a
> backup of the home directory now... but after we restore everything, what
> is to stop the hacker immediately re-gaining access again?
> The server is a fully updated "stable" debian system. In fact, it was
> updated just yesterday.
> I'm thinking that even if we do all the trouble of a complete
> re-installation of the entire system, it won't fix this as it will get
> re-hacked again, especailly since we can't see what is going on anymore.
> What do you think? :-(

You have to realize this is a normal step in the life of any sysadmin.
So stop being worried and learn from it.

1.- Save all thats possible to save (homedirs, emails, homepages)

2.- Yeah, hard to believe an updated, all standard packages woody could
be cracked. Its no normal, highschool script kiddie if he pulled that
off (probably a college script kiddie though...;)...). Your box as is
provides very good information, but you have to realize that, if you
didnt take a couple of steps to forsee this, such as having a network
flight recorder somewhere to do forensics on your dead box, its going to
be hard to determine where and how did he got in. 

2-1/2.- Do a list of ANY installed stuff that is not strict debian
woody. I mean, web database administrators, counters, extra perl modules
got from cpan (as oposed from apt-get isntall libperl...etc.). Its more
probable that the first level vulnerability got in there (nevertheless,
if you got hacked by a perl script, then the perl package, apache
package or similar is borked).

3.- So, mirror your killed hard drive so that you can disect it later,
set up the box again with certain limited things, say forbid cgi's and
move to mod-perl and php, forbid ppl from having bash cgi's (since there
is a good chance this is where they got in).

What am i doing? I dunno, there is no checklist that will cover any
site, this is what i would do and im not very experienced. But whatever
you end up with, you should implement postmortem analysis capabilities
to your site (couple of snort/tcpdump boxes and an actual formalization
of your security policies will do).

So policy is the thing here anyhow, work on that. Think of syslog-ng
server, your tcpdump network capture server, snort ID analysys server,
log analyzer for the syslog server. Once cracked all one can do is think
better for the next time.

Reply to: