Re: hacked server
On Sat, 18 Mar 2006, Jon Miller wrote:
> I have a hacked server that has a few rootkits installed. I'm going to rebuild this using the following procedure:
> 1) backup data files
> 2) copy /etc/*.conf
> 3) either make an image of the system and then blow it away or get new drives.
>
> Have I missed out on anything?
for the "3" items:
a) if you backup data, do NOT erase previous ( supposedly good and clean )
backups prior to you noticing the rootkits .. but the actual intruder
could have been there for months ... so do NOT erase the past two of
months of "good" backups
b) *.conf is not the only items of interests
most everything of value fits onto floppy, so if your system config
doesn't fit onto a floppy, you're copying more stuff than you need
c) get a new disk is best ... keep the old disk just in case you forgot
to copy the all important config file you forgot about
use apt get to get a list of installed packages if you
trust its output to rebuild your new box with similar apps
d) and you missed about 997+ other important things to do after being
cracked and maybe only a dozen or so would be of general interest
- change your current security to policy to prevent it from
happening again ...
- backup data daily onto backup data from 6months ago vs
overwritting last weeks data
- apply patches as needed ( daily, weekly or monthly ) as
time permits
- find out who got in,
- find out when they got in
- find out how they got in
- find out why they got in ( their perspective = fun or malicious)
- find out why they got in ( your perspective = security hole ))
- find out what OTHER machines they have attacked
- find out what data they have sniffed ( login/pwd )
- find out what where they went after getting into your servers
- report to the local computer crime dept or FBI or equivalent
if you want to prosectue ... but that'd imply you don't
touch your server and the lawyers have it offline etc.. etc..
... blah blah .. blah ..
e) 975+ other things to do :-)
c ya
alvin
Reply to: