[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server injection attack

On Tuesday 10 July 2007 01:23, Zach wrote:
> On 7/10/07, Mike Bird <mgb@yosemite.net> wrote:
> >  He or she will neither boot the drives nor execute any
> > program or script on them, for they are all compromised.  He or she will
> > only read the compromised drives.
> How can I do this? Assume hacked disk is /dev/hda and linux root
> partition lives on /dev/hda2  Did you mean just using chroot? Would
> like to know in case I must ever do a forensic analysis.

Everything on all of the server's drives is compromised (cannot
be trusted) so it is important not to boot/use/run/execute anything
from those drives.

Ideally you start by making copies of the compromised drives and
keeping the originals in a safe place.

You work from a known secure system, and mount the compromised
drive(s) as slaves, usually noexec and noatime.  The noexec helps
to prevent accidental execution of compromised programs but is not
perfect.  The noatime helps to prevent loss of tracking information,
although a clever attacker may already have forged atimes.

You then poke around with simple tools with no undesirable side
effects, mostly ls and less, and try to figure out what happened.
You never chroot to any of the filesystems on the compromised
drives, because that would cause execution of compromised programs.
If you so much as run the compromised ls then you can't believe
anything you see and you may even, via a daemon takeover, allow
the infection to escape the chroot jail.

At the end of a few hours or a few days you will probably know
which vulnerability the attacker exploited.  You can patch that
hole before putting the next incarnation of the server online.

If the bug is new you should make sure the software's author is
aware of the problem.  He or she will usually be friendly and

--Mike Bird

Reply to: