On Tue, 23 Aug 2005, Arne [utf-8] Götje ([utf-8] é«çè¯) wrote:
> On Tuesday 23 August 2005 12:57, Alvin Oga wrote: > > personally... i think any hacked machine should be looked over > > carefully to be able to answer the following: > > - who broke in > > - how did they get in > > - why did they break in ( sometimes there's no answer ) > > - where they came from > > - how many times did they come in > > - how many prev attempts did they try > > - how long before you noticed them > > - what other machines did they break into > > ( esp for those of you that like passwordless logins ) > > - what text files were read or edited > > - which binaries and libraries did they modify > > - what extra directories and files exists > > - what did they sniff and for how long ( passwds ) > > - .. endless list .. > > Nice... can you also provide some info on how to find answers to these > questions? This would be very useful... just in case. :) it's not "one place" or a document .. its a lot of work to find those answers stuff in no particular order .. but more for your "thought process" to attempt to answer the above questions ... first step ... - backup everything BEFORE you are hacked and do not overwrite last week or last months backup - change all your loginID and passwds - disallow everything insecure... which could be a weeks worth of changes to any system from a basic cdrom install ( no pop3, no telnet, no ftp, no dhcp, no wireless, no vpn, etc ) 2nd step ... - decide if you are gonna prosecute any successful breakins and how you are gonna do that and why and follow police process and proceedure ( get them involved asap ) 3rd step ... - to do forensics, how much time does it take ?? maybe a few hours, maybe a few weeks ... is it worth the time ?? - first check all your binaries are intact against your backups and other duplicate systems ( or use knoppix or equivalent to check your hacked disk ) - take that hacked disk offline or not and you'd of course have a different backup system running all your services except for the vulnerability that was exploited - personally, i prefer to leave the hacked disks unaltered to see and watch them live and hopefully everybody ( law enforcement ) is also watching the 2nd time around that we can pinpoint where the cracker is 4th step ... - look over all your files... one by one to see what they changed or edited or removed ... - anything left over is what they left for you to use to track them down .. - obvious thing is to look at log files, but smart crackers will wipe out or clean the /var/log before they leave - no magic about how to find all those answers ... just lots of time and preparedness fun stuff ... c ya alvin