[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: i am hacked atm.. what's better thing to do?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> A lot depends on whether you want to watch/trace/prosecute/learn
> from/annoy him, or if you just want him off your system.
>
> What I would do (since I like to do learn from the intrusions), is to
> follow him around for a while.  At minimum, find out what IP address he
> is coming from and how he got into your machine.

The source IP number isn't necessarily helpful - he could be coming from
one of those places offering free shell access.

And definitely follow the guy (if the attacker is a guy :) around - it
won't help you to re-install and not know how they got in the first time
around.

> A simple packet sniffer for Debian can be obtained through `apt-get
> install sniffit`, and then run `sniffit -I`.  This will at least tell
> you the open connections to your machine and the IP addresses.  If you
> want to see what he's doing, run a packet sniffer (tcpdump, though
> sniffit can probably do it as well) to sniff packets to/from his IP.

Hint: tcpdump -w <filename> -i eth0 host <hostname> is really usefull.
Especially if the attacker is stupid enough to do their work through
telnet.

> The syslog is probably the best place to find how he got into your
> system.  But it might have been tampered with.  If you think it's a
> fairly recent attack, look around your directories a bit with an `ls
> -lart` to show all recently-changed entries.  Script kiddie tools are
> easily found this way, though better hackers can hide their tracks.

Especially since they can just do a "rm -rf /var/log" - yes I've seen that
happen.

> Finally, don't trust the output of ps (it may be one that hides their
> tracks), login could have been replaced to have a backdoor and log your
> passwords, etc.

Definitely.  Note that an "unusual" ps output can tip you off to their
presence.

Witness this output from a compromised RH6.2 system I claned up:

USER       PID %CPU %MEM  SIZE   RSS TTY STAT START   TIME COMMAND
nobody     515  0.0  0.2  1888   140  ?  S  Oct 11   0:00 proftpd (accepting co
nobody    3621  0.0  3.4  6720  2204  ?  S  Oct 15   0:00 httpd
nobody    3622  0.0  3.3  6708  2116  ?  S  Oct 15   0:00 httpd
nobody    3623  0.0  3.3  6708  2112  ?  S  Oct 15   0:00 httpd
nobody    3624  0.0  3.5  6720  2240  ?  S  Oct 15   0:00 httpd
nobody    3625  0.0  3.4  6720  2200  ?  S  Oct 15   0:00 httpd
nobody    3626  0.0  3.3  6708  2132  ?  S  Oct 15   0:00 httpd
nobody    3627  0.0  2.4  6708  1528  ?  S  Oct 15   0:00 httpd
nobody    3628  0.0  2.6  6720  1688  ?  S  Oct 15   0:00 httpd
root         1  0.0  0.1  1120   124  ?  S  Oct 11   0:07 init
root         3  0.0  0.0     0     0  ?  SW Oct 11   0:01 (kupdate)
root         4  0.0  0.0     0     0  ?  SW Oct 11   0:00 (kpiod)
root         6  0.0  0.0     0     0  ?  SW<Oct 11   0:00 (mdrecoveryd)
root       386  0.0  0.2  1420   172  ?  S  Oct 11   0:00 klogd
root       400  0.0  0.2  1328   132  ?  S  Oct 11   0:00 crond
root       414  0.0  0.6  1168   404  ?  S  Oct 11   0:00 inetd
root       484  0.0  0.1  1144    72  S0 S  Oct 11   0:00 gpm -t ms
root       498  0.0  1.0  6576   684  ?  S  Oct 11   0:03 httpd
root       589  0.0  0.0   900    16  ?  S  Oct 11   0:00 papd
root       640  0.0  0.0  1092     0   2 SW Oct 11   0:00 (mingetty)
root       641  0.0  0.0  1092     0   3 SW Oct 11   0:00 (mingetty)
root       643  0.0  0.0  1092     0   5 SW Oct 11   0:00 (mingetty)
root       644  0.0  0.0  1092     0   6 SW Oct 11   0:00 (mingetty)
root       672  0.0  1.1  2192   736  ?  S  Oct 11   1:12 nmbd
root       699  0.0  0.5  2660   320  ?  S  Oct 11   0:00 xdm
root     23287  0.0  8.8 13036  5580  ?  S N 18:14   0:15 ./quake2 +set dedicat
root     23290  0.0  0.6  1092   404   4 S   18:14   0:00 /sbin/mingetty tty4
root     23551  0.0  0.6  1092   404   1 S   18:37   0:00 /sbin/mingetty tty1
root     24012  0.0  0.7   924   464  ?  S   01:06   0:00 in.telnetd
root     24752  0.0  0.7   924   468  ?  S   01:19   0:00 in.telnetd

Note the absence of various programs, especially bash shells associated
with the telnet processes, or even my own login shell (I was logged in as
'pbrutsch') :)

> You might run nmap against your own machine to check if any additional
> ports were enabled.

Additional ports aren't always opened.  Although if you catch them at the
right time you might find their remote root shell before they cose it...

> Once figure out how your machine was compromised (watching other
> machines get attacked from your own may give a clue here) then check the
> IP he's coming from and see if it was compromised in the same way.  If
> so, notify the owner.  If not, then this is the hacker's home box and
> you should contact his ISP (or the authorities).

That's not always a possibility.  I've seen stolen PPP accounts used; I've
also seen attackers come from a site offering free shell access, without
enough information on how to track down their user ID.

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6B3RD/ZTSZFDeHPwRAl1YAKCbUkilEAorHGxfG2eVip4Pr/uq2gCdFdlu
z3zWabX121Ib1OZN4DQV4qI=
=n2NE
-----END PGP SIGNATURE-----
Reply to: