Re: Who is doom and Elite? + ssh question
From: Vincent Fox (vf5@cad.gatech.edu)Date: 03/03/02
- Next message: Steve Cowles: "Re: Strings to search for in Apache Access log"
- Previous message: ujay: "Re: Strings to search for in Apache Access log"
- In reply to: MEB: "Re: Who is doom and Elite? + ssh question"
- Next in thread: Andreas Braeutigam: "Re: Who is doom and Elite? + ssh question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: vf5@cad.gatech.edu (Vincent Fox) Date: Sun, 3 Mar 2002 17:30:35 +0000 (UTC)
In <3c81f859$1_2@news.isis.de> "MEB" <mmeebb@gmx.de> writes:
*snip*
>Thank you for your advince, however, I havn't wiped my hard disk yet (after
>restart the strange ports 666 and 31337 are not open any more - by the way I
>run nmap within the firewall).
>I tried to find out what happened first:
>The attacker used the "SSH crc32 compensation attack" described in e.g.
>http://staff.washington.edu/dittrich/misc/ssh-analysis.txt to compromise my
>system:
You've been rooted. Your next actions needed:
1) UNPLUG SYSTEM FROM NETWORK!
2) If you can afford it, simply yank the drive so you can
do forensics at your convenience. THis is my philosophy, drives
are much cheaper than my time. If not, copy all relevant
user data, logs, and forensic date and wipe.
3) Note the machines they came in from, forward warnings.
4) Try to track the little idiot down, good luck getting the
other admins in the chain to assist you, usually goes cold here
when someone is unwilling to help you go the next hop.
5) Rebuild system WITHOUT any network attach. This is most critical
part, systems have been rooted while doing post-install updates
so don't think you can get it up and running and secured while it's
still attached to a network.
6) Download all relevant updates on another machine, burn CD of them
carry over to new machine and apply. For you the most relevant is
to download OpenSSH 3.0.2 most likely.
7) Close all ports you don't HAVE to have open. Firewalls on the
local machine also perhaps a good idea, although not high priority IMHO.
Biggest priority is if you are not dedicated to keeping the program on
that port on your "watch list" for looking out for security updates to
it then close it.
8) Reattach and wait for next round of script kiddies.
This is the most depressing part, that they aren't uberhackers
working for Soviet intel that you can track down like Cliff Stoll did.
No it's a raft of worldwide juvenile delinquents constantly rattling
every possible doorknob, using crack software they barely understand.
-- "Who needs horror movies when we have Microsoft"? -- Christine Comaford, PC Week, 27/9/95
- Next message: Steve Cowles: "Re: Strings to search for in Apache Access log"
- Previous message: ujay: "Re: Strings to search for in Apache Access log"
- In reply to: MEB: "Re: Who is doom and Elite? + ssh question"
- Next in thread: Andreas Braeutigam: "Re: Who is doom and Elite? + ssh question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
