Re: hacked server

Sat, 18 Mar 2006 00:32:07 -0800 


On Sat, 18 Mar 2006, Jon  Miller wrote:

> I have a hacked server that has a few rootkits installed.  I'm going to 
> rebuild this using the following procedure:
> 1) backup data files
> 2) copy /etc/*.conf
> 3) either make an image of the system and then blow it away or get new drives.
> 
> Have I missed out on anything?

for the "3" items:
a) if you backup data, do NOT erase previous ( supposedly good and clean ) 
   backups prior to you noticing the rootkits .. but the actual intruder
   could have been there for months ... so do NOT erase the past two of 
   months of "good" backups 
 
b) *.conf is not the only items of interests

   most everything of value fits onto floppy, so if your system config 
   doesn't fit onto a floppy, you're copying more stuff than you need

c) get a new disk is best ... keep the old disk just in case you forgot
   to copy the all important config file you forgot about

        use apt get to get a list of installed packages if you
        trust its output to rebuild your new box with similar apps

d) and you missed about 997+ other important things to do after being
   cracked and maybe only a dozen or so would be of general interest
        - change your current security to policy to prevent it from
        happening again ...

        - backup data daily onto backup data from 6months ago  vs
        overwritting last weeks data

        - apply patches as needed ( daily, weekly or monthly ) as 
        time permits

        - find out who got in, 
        - find out when they got in
        - find out how they got in
        - find out why they got in ( their perspective = fun or malicious)
        - find out why they got in ( your perspective = security hole ))

        - find out what OTHER machines they have attacked
        - find out what data they have sniffed ( login/pwd )
        - find out what where they went after getting into your servers

        - report to the local computer crime dept or FBI or equivalent
        if you want to prosectue ... but that'd imply you don't
        touch your server and the lawyers have it offline etc.. etc..

        ... blah blah .. blah ..

e) 975+ other things to do :-)

c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to