[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacked: can't delete files




On Tue, 23 Aug 2005, Arne [utf-8] Götje ([utf-8] é«?ç??è?¯) wrote:

> On Tuesday 23 August 2005 12:57, Alvin Oga wrote:
> > personally... i think any hacked machine should be looked over
> > carefully to be able to answer the following:
> > 	- who broke in
> > 	- how did they get in
> > 	- why did they break in ( sometimes there's no answer )
> > 	- where they came from
> > 	- how many times did they come in
> > 	- how many prev attempts did they try
> > 	- how long before you noticed them
> > 	- what other machines did they break into
> > 	  ( esp for those of you that like passwordless logins )
> > 	- what text files were read or edited
> > 	- which binaries and libraries did they modify
> > 	- what extra directories and files exists
> > 	- what did they sniff and for how long ( passwds )
> > 	- .. endless list ..
> 
> Nice... can you also provide some info on how to find answers to these 
> questions? This would be very useful... just in case. :)

it's not "one place" or a document ..
 
its a lot of work to find those answers

stuff in no particular order .. but more for your "thought process"
to attempt to answer the above questions ...

first step ...
	- backup everything BEFORE you are hacked
	and do not overwrite last week or last months backup

	- change all your loginID and passwds

	- disallow everything insecure... which could be a weeks worth of 
	changes to any system from a basic cdrom install
	( no pop3, no telnet, no ftp, no dhcp, no wireless, no vpn, etc )

2nd step ...
	- decide if you are gonna prosecute any successful breakins
	and how you are gonna do that and why and follow police
	process and proceedure ( get them involved asap )

3rd step ...
	- to do forensics, how much time does it take ??
	maybe a few hours, maybe a few weeks ... is it worth
	the time ??

	- first check all your binaries are intact against
	your backups and other duplicate systems 
	( or use knoppix or equivalent to check your hacked disk )

	- take that hacked disk offline or not and you'd of course
	have a different backup system running all your services
	except for the vulnerability that was exploited

	- personally, i prefer to leave the hacked disks unaltered to
	see and watch them live and hopefully everybody
	( law enforcement ) is also watching the 2nd time around
	that we can pinpoint where the cracker is

4th step ...
	- look over all your files... one by one to see
	what they changed or edited or removed ...

	- anything left over is what they left for you to
	use to track them down ..

- obvious thing is to look at log files, but smart crackers
  will wipe out or clean the /var/log before they leave  

- no magic about how to find all those answers ... just lots
  of time and preparedness

fun stuff ...

c ya
alvin




Reply to: