Re: i386-RHLinux box hacked. What next?
From: Bit Twister (BitTwister@localhost.localdomain)Date: 03/13/02
- Previous message: Grant Schmarr: "Re: CIW Security exam"
- In reply to: Vinay A. Maha***: "i386-RHLinux box hacked. What next?"
- Next in thread: Dave Pimlott: "Re: i386-RHLinux box hacked. What next?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: BitTwister@localhost.localdomain (Bit Twister) Date: Tue, 12 Mar 2002 23:07:26 GMT
On Tue, 12 Mar 2002 18:03:31 GMT, Vinay A. Maha*** wrote:
> Hey,
>
> I have box that's been hacked into. It is presently offline. I would
> like to know if there're any nice HOWTOs or whitepapers out there which
> detail forensics for linux systems.
>
> I would like to take on this very systematically. I want to know how it
> was hacked into so that I can plug the hole. Else, I see an ugly
> reinstall..
Oh, you have to format and do an install.
http://www.chkrootkit.org has a program for checking for rootkit installs.
Any time you know a box is cracked, you should:
o Pull the box off the network, you do not want the police taking
you and your equipment to jail because a cracker used it
to crack a bank or military site.
o Put the hardrive(s) into a standalone machine,
mount the disk(s) readonly,
save any data, user files, ...,
o Save a full copy of the disk(s) for your forensic attempt,
save the disk(s) for FBI forensics if it's a Big, BIG dollar loss.
o Refomat disk drives and do a fresh install from known clean
source to remove any possible back doors the cracker installed.
o Restore your saved files, verify that the restored files
do not have the suid bit set "find / -perms +6000 -ls".
o Have everyone on the box's network change passwords and
tell them why so they will not use them ever again.
Any other boxes logged into from the cracked box should
have their passwords changed.
Here is why you need a clean install
http://www.linuxdoc.org/LDP/LG/issue36/kuethe.html
4'th paragraph.
Install a firewall
Get all the vendor updates to your distro.
You might want to read Armoring Linux
http://www.linuxdoc.org/HOWTO/Security-Quickstart-HOWTO/index.html
http://www.enteract.com/~lspitz/linux.html
http://www.linuxsecurity.com/docs/colsfaq.html
http://www.securityportal.com/lskb/articles/
http://www.securityportal.com/lasg/
http://www.cert.org/advisories/
For cheap install cd's
http://cart.cheapbytes.com/cgi-bin/cart
top left under Products.
For people accross the pond,
http://www.linuxemporium.co.uk
http://www.linux123.co.uk/
Never login as root unless you have to.
Always login from the console, no su, telnet, ssh,..
That way a keystroke logger in your user account cannot
catch your root login password.
You can audit your system if you are using the rpm package manager with
rpm -Va | grep '..5' > /tmp/verify.log Runs for awhile.
/tmp/verify.log will contain changes which you have made using
configuration tools
Hope crackers do not put in a rootkit which makes the rpm check obsolete.
I think this has happened, though not sure.
- Next message: Jane: "Re: Disk encryption"
- Previous message: Grant Schmarr: "Re: CIW Security exam"
- In reply to: Vinay A. Maha***: "i386-RHLinux box hacked. What next?"
- Next in thread: Dave Pimlott: "Re: i386-RHLinux box hacked. What next?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
