Re: hacked: can't delete files

To: "Arne Götje (高盛華)" <20030910antispam@gmx.net>
Cc: debian-user@lists.debian.org
Subject: Re: hacked: can't delete files
From: Alvin Oga <aoga@mail.Linux-Consulting.com>
Date: Tue, 23 Aug 2005 00:53:06 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1050823004016.11535A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 200508231333.57529.20030910antispam@gmx.net>


On Tue, 23 Aug 2005, Arne [utf-8] GÃ¶tje ([utf-8] é«?ç??è?¯) wrote:

> On Tuesday 23 August 2005 12:57, Alvin Oga wrote:
> > personally... i think any hacked machine should be looked over
> > carefully to be able to answer the following:
> > 	- who broke in
> > 	- how did they get in
> > 	- why did they break in ( sometimes there's no answer )
> > 	- where they came from
> > 	- how many times did they come in
> > 	- how many prev attempts did they try
> > 	- how long before you noticed them
> > 	- what other machines did they break into
> > 	  ( esp for those of you that like passwordless logins )
> > 	- what text files were read or edited
> > 	- which binaries and libraries did they modify
> > 	- what extra directories and files exists
> > 	- what did they sniff and for how long ( passwds )
> > 	- .. endless list ..
> 
> Nice... can you also provide some info on how to find answers to these 
> questions? This would be very useful... just in case. :)

it's not "one place" or a document ..
 
its a lot of work to find those answers

stuff in no particular order .. but more for your "thought process"
to attempt to answer the above questions ...

first step ...
	- backup everything BEFORE you are hacked
	and do not overwrite last week or last months backup

	- change all your loginID and passwds

	- disallow everything insecure... which could be a weeks worth of 
	changes to any system from a basic cdrom install
	( no pop3, no telnet, no ftp, no dhcp, no wireless, no vpn, etc )

2nd step ...
	- decide if you are gonna prosecute any successful breakins
	and how you are gonna do that and why and follow police
	process and proceedure ( get them involved asap )

3rd step ...
	- to do forensics, how much time does it take ??
	maybe a few hours, maybe a few weeks ... is it worth
	the time ??

	- first check all your binaries are intact against
	your backups and other duplicate systems 
	( or use knoppix or equivalent to check your hacked disk )

	- take that hacked disk offline or not and you'd of course
	have a different backup system running all your services
	except for the vulnerability that was exploited

	- personally, i prefer to leave the hacked disks unaltered to
	see and watch them live and hopefully everybody
	( law enforcement ) is also watching the 2nd time around
	that we can pinpoint where the cracker is

4th step ...
	- look over all your files... one by one to see
	what they changed or edited or removed ...

	- anything left over is what they left for you to
	use to track them down ..

- obvious thing is to look at log files, but smart crackers
  will wipe out or clean the /var/log before they leave  

- no magic about how to find all those answers ... just lots
  of time and preparedness

fun stuff ...

c ya
alvin

Reply to:

References:
- Re: hacked: can't delete files
  - From: "Arne Götje (高盛華)" <20030910antispam@gmx.net>

Prev by Date: Re: Snapshot/Rollback using LVM/EVMS
Next by Date: Re: Switching to Debian (from Fedora)
Previous by thread: Re: hacked: can't delete files
Next by thread: Re: hacked: can't delete files
Index(es):
- Date
- Thread