Re: Duncan's rooted system
From: richard childers / kg6hac (fscked_at_pacbell.net)
Date: 02/17/04
- Previous message: Bruce M Simpson: "Re: [Freebsd-security] Rooted system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 16 Feb 2004 18:54:25 -0800 To: freebsd-security@freebsd.org
Duncan writes:
>Howyd all? Seems that I have been routed. Possibly
>by a physical B&E, but who knows? Probably some
>of you do.... anyways, some politically sensitive
>email was deleted from a user account and the
>line
>
>low -tr &
>
>inserted into my .xinitrc .
>
>Duncan (Dhu) Campbell
>
I didn't see a lot of feedback that struck me as useful, there, Duncan,
in response to your description of events ... but let me add my two
cents; it's always useful to get an objective perspective.
First off, the 'low -tr' could be a red herring; it could be anything,
or nothing.
Second, looking for an executable 'low' may or may not be profitable
depending on whether your executables or libraries have been compromised.
Third of all, the first thing you should do is make some backups,
preferably in single user. Think of these as photographs of the crime
scene; they will be referred to later and must be of the highest
quality. 4mm DAT, 8mm and DLT are all suitable media; so are CDs.
(Indeed, periodically making 600 MB snapshots of critical pieces of your
installation, using a CD burner, is one of the cheapest ways to archive
your data; the cost per megabyte is cheaper than any other media I know.)
All of your analysis should be carried out on files restored from these
media and copied onto another, pristine, perhaps identical system; if it
is identical this is advantageous because it expedites the process of
(automate this, naturally) comparing the restored files against the
installed files for relevant differences.
When thinking about how to prevent this in the future, I would advise
that you (1) automate the transfer of all system logs to electronic
mail, off the server, for preservation against tampering (IE, mail
yourself a copy of every log, to an offsite address, every day, so that
you have a copy in a tamper-proof location) ... and (2), consider using
command-line interfaces and living without X where possible.
(Daemonized Networking Services strongly advises against installing X on
servers; the advantages are few when compared to the disadvantages and
maintenance overhead and vulnerability. We have nothing against X - I
have personally been using X since R10V4, no kidding !! - but think that
X deserves its own dedicated server and should not piggyback on other
services. Of course, there are exceptions, and we have no desire to
provoke a debate on this topic; this is, remember, just our free advice
- worth about $0.02.)
As for physical security, I would consider a webcam monitoring the
console and even the approach to the console; again, by transferring the
pictures offsite to another Internet locale that is (more) secure from
tampering, one increases the probability that important evidence will be
preserved, despite the best efforts of professionals to do otherwise.
Using ssh or some form of encryption to secure the images against
tampering, during transfer, is recommended.
AXIS makes a nice line of Internet-ready and wireless security cameras;
some even include audio and do streaming video. If you're interested in
something more complex, a variety of VCRs exist that can handle multiple
video streams (IE, multiple cameras) and even trigger off of activity in
one specific region (not a quadrant, more like a quadrant of a quadrant)
of the area monitored by a given camera. But at this point your security
system will start to outstrip your local giant drugstore's and approach
that of a bank's.
(Daemonized Networking Services hosts www.orafraud.org ... and takes
physical and network security -very- seriously.)
Regards,
-- richard
-- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Bruce M Simpson: "Re: [Freebsd-security] Rooted system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
