On Tue, 23 Aug 2005, Arne [utf-8] Götje ([utf-8] é«çè¯) wrote:
> On Tuesday 23 August 2005 12:57, Alvin Oga wrote:
> > personally... i think any hacked machine should be looked over
> > carefully to be able to answer the following:
> > - who broke in
> > - how did they get in
> > - why did they break in ( sometimes there's no answer )
> > - where they came from
> > - how many times did they come in
> > - how many prev attempts did they try
> > - how long before you noticed them
> > - what other machines did they break into
> > ( esp for those of you that like passwordless logins )
> > - what text files were read or edited
> > - which binaries and libraries did they modify
> > - what extra directories and files exists
> > - what did they sniff and for how long ( passwds )
> > - .. endless list ..
>
> Nice... can you also provide some info on how to find answers to these
> questions? This would be very useful... just in case. :)
it's not "one place" or a document ..
its a lot of work to find those answers
stuff in no particular order .. but more for your "thought process"
to attempt to answer the above questions ...
first step ...
- backup everything BEFORE you are hacked
and do not overwrite last week or last months backup
- change all your loginID and passwds
- disallow everything insecure... which could be a weeks worth of
changes to any system from a basic cdrom install
( no pop3, no telnet, no ftp, no dhcp, no wireless, no vpn, etc )
2nd step ...
- decide if you are gonna prosecute any successful breakins
and how you are gonna do that and why and follow police
process and proceedure ( get them involved asap )
3rd step ...
- to do forensics, how much time does it take ??
maybe a few hours, maybe a few weeks ... is it worth
the time ??
- first check all your binaries are intact against
your backups and other duplicate systems
( or use knoppix or equivalent to check your hacked disk )
- take that hacked disk offline or not and you'd of course
have a different backup system running all your services
except for the vulnerability that was exploited
- personally, i prefer to leave the hacked disks unaltered to
see and watch them live and hopefully everybody
( law enforcement ) is also watching the 2nd time around
that we can pinpoint where the cracker is
4th step ...
- look over all your files... one by one to see
what they changed or edited or removed ...
- anything left over is what they left for you to
use to track them down ..
- obvious thing is to look at log files, but smart crackers
will wipe out or clean the /var/log before they leave
- no magic about how to find all those answers ... just lots
of time and preparedness
fun stuff ...
c ya
alvin
