On Tuesday 10 July 2007 01:23, Zach wrote: > On 7/10/07, Mike Bird <[EMAIL PROTECTED]> wrote: > > He or she will neither boot the drives nor execute any > > program or script on them, for they are all compromised. He or she will > > only read the compromised drives. > > How can I do this? Assume hacked disk is /dev/hda and linux root > partition lives on /dev/hda2 Did you mean just using chroot? Would > like to know in case I must ever do a forensic analysis.
Everything on all of the server's drives is compromised (cannot be trusted) so it is important not to boot/use/run/execute anything from those drives. Ideally you start by making copies of the compromised drives and keeping the originals in a safe place. You work from a known secure system, and mount the compromised drive(s) as slaves, usually noexec and noatime. The noexec helps to prevent accidental execution of compromised programs but is not perfect. The noatime helps to prevent loss of tracking information, although a clever attacker may already have forged atimes. You then poke around with simple tools with no undesirable side effects, mostly ls and less, and try to figure out what happened. You never chroot to any of the filesystems on the compromised drives, because that would cause execution of compromised programs. If you so much as run the compromised ls then you can't believe anything you see and you may even, via a daemon takeover, allow the infection to escape the chroot jail. At the end of a few hours or a few days you will probably know which vulnerability the attacker exploited. You can patch that hole before putting the next incarnation of the server online. If the bug is new you should make sure the software's author is aware of the problem. He or she will usually be friendly and helpful. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]