RE: [TCLUG:12807] bad day (more details)

To: <tclug-list@mn-linux.org>
Subject: RE: [TCLUG:12807] bad day (more details)
From: "Eric Hillman" <ehillman@cccu.com>
Date: Mon, 24 Jan 2000 15:04:09 -0600
Importance: Normal
In-Reply-To: <Pine.LNX.4.10.10001241437570.285-100000@paoli.math.umn.edu>

> Assuming that you have been tipped, it's too late to preserve any evidence
> that can be used to prosecute.  More often than not, compromised machines
> are usually "contaminated" by their respective owners, not the intruders
> themselves.
>
> Whenever a machine is suspected, it is most important not to touch
> anything.  Kick the network cord out of the wall and step away.  After the
> fact forensic techniques can vary from person to person, but if you're
> interested in legal prosecution, you'll want to proceed very carefully
> with your evidence, and seek external help and/or documentation.

If the person who did this (assuming that this was indeed a crack, which
does seem likely at this point) had any clue at all, you'll have a great
deal of difficulty finding them anyways.  A friend of mine foolishly failed
to heed my warnings to set up ipchains and hosts.deny on his RedHat box and
got rooted by somebody operating out of a server s/he'd previously cracked
in Norway.  The first thing the intruder did was to use my neighbor's box as
a platform to probe and attack *other* servers elsewhere in the world.  At
this point, even knowing where the attack came from, it would take a
substantial amount of investigation and cooperation by sysadmins who may not
even share a common language to determine where the chain of cracks begins.

On the other hand, from the way your system was trashed, I doubt this was
the work of a competent individual...  Not that that's probably any
consolation.

However, in case it hasn't been mentioned already, don't, don't, DON'T try
to repair the damage on this server.  The only way you'll be sure your
unwelcome guest hasn't left behind some trapdoor into the system is to
totally wipe the hard drive and start over (backups of non-system files may
be OK, like your website, or the contents of your FTP site, but you'll want
to make *very* sure those haven't been tampered with either).  Or, if you
prefer, get a new set of drives and keep the old ones as evidence.  Changing
the passwords is *not* enough.  Even restoring from backup may not work if
the backup was taken after the system was first entered.


--
Eric Hillman
UNIX Sysadmin
City & County Credit Union
ehillman@cccu.com

Follow-Ups:
- RE: [TCLUG:12807] bad day (more details)
  - From: Timothy Wilson <wilson@visi.com>

References:
- Re: [TCLUG:12807] bad day (more details)
  - From: Peter Lukas <peter@math.umn.edu>

Prev by Date: Re: [TCLUG:12799] help me find a MUA
Next by Date: Re: [TCLUG:12807] bad day (more details)
Prev by thread: Re: [TCLUG:12807] bad day (more details)
Next by thread: RE: [TCLUG:12807] bad day (more details)
Index(es):
- Date
- Thread