-----BEGIN PGP SIGNED MESSAGE-----
Derek has made some valid points, I would however focus on increased
time
secureing the system by removing services that are not needed or used,
removing
SUID/SGID binaries and enforcing the rule of least priviledge for user
accounts
with appropriate permissions rather then using DTK (Deception Tool
Kit). After the
investigation aspect of your response plan has been executed and you
either rebuild
the system or backup from trusted media you will want to use tripwire,
http://www.tripwiresecurity.com/. It is invaluable when something
like this happens
in anwsering those question of what files has this intruder changed.
Sadly all the
logs on the victim system can not be trusted because the integrity of
the system has
been breached. What you can do right now is build a new aix box,
configure it in a
similar manner as the victim system use tripwire to generate a
database for your new
aix system use the database we have just generated with the
comprimised system to see
what files diff'er between the two. That should provide some insight
into what has
happened. You might also want to take a look at
http://www.psionic.com/, DTK and
syslogd-ng.
I hope this helps you out,
Cohen
At 04:48 PM 6/26/99 -0700, you wrote:
>On Sat, 26 Jun 1999, Curtis Hefflin wrote:
>
>> I have a hacker who has successfully broken into an internal aix
box via a
>> remote access server our company uses for certain employees and
vendors.
>> From this other box he has attempted to access other servers
including our
>> firewall, which is also aix.
>> I would like to know how I could retrace/track this person's
movement
>> through the system. What logs or files should I review? And any
other help
>> or advice you can provide.
>> Thanks,
>> Curt
>
>
>Well. Is he still accessing your system? If so, set up an external
box on
>the same network and capture all the packets. You can watch him from
>there. You can also r/ssh into the compromised box at regular
intervals
>and run netstat,w,etc.. to figure out what's going on and set up
quick and
>dirty scripts on the monitoring box to determine when he's on and
then
>email or page you. This isn't always an option, but if you can
convince
>you're employer to let you do this, I'd recommend it. It's very
>educational and you'll likely uncover some trends that will aid you
in
>combating this in the future. You'll also probably realize that most
>hax0rs are only like for a place to drop an eggdrop.
>
>If you think you've already locked him out, or you know you have, and
>you've taken the box off line, you can _find_ all the files that have
>changed since the box was compromised. It's likely he installed a
root kit
>and you're not seeing certain hidden dirs. Find is often not replaced
by
>root kits making it useful for finding hidden directories and files.
If
>that fails, you can also use clean copies of find, ls, ps, who,
etc...
>from your original media. Probably you'll want to look into something
like
>tripwire for the future if you're not already using it. I assume
you've
>checked all the standards: syslog, messages, sulog, wtmp, utmp,
inetd.conf
>(for backdoors), rc and init.d files, if not, that's also a good
starting
>point.
>
>Probably best to resintall all bianries at this point. If possible,
back
>up your data, wipe the box, and start again. You could check out
deception
>tool kit and bring the original box back online with a new IP address
and
>set up deception tool kit in the place of the original box and mess
around
>too.
>
>+++ath
>Derek Vadala, [EMAIL PROTECTED], http://www.cynicism.com/~derek
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQEVAwUBN3Xl6uQBKAdgph1vAQGAsAf+LNzBlWF8r1qjX++R1huY7C/a1/TDyGmm
ykcZHYFfD9oASt/GC/W+UMvKV4aAnmURfbm9H7/j5OOQ5DKFE6M0W487ABvQlO2B
Y4Jq0Idh91POtQoE7EmLF0f/t+rcY3vRSBbnVgx+vSdLlsyof9d5D1GDoo4xrJzC
QAfVduPmLMPfIWGYcbzfwvhcU9xwW99NEOS5/JAegZ4ppJDSPoCOpuAcTXr7zCc5
hjiwnfT0y4b/UELb0JezIGI/lQ4g0Myc1dZ9jl1GmipL15YW5cudd7gqwni+Q0Py
QA3T9IZXNcMaeh35shVF8lMwMxO+q7QmJx6p5iCqk3GbYVO4yEdtww==
=b48p
-----END PGP SIGNATURE-----
--
Cohen Liota
Information Security Specialist +1.416.815.3041 - v
Secure Computing Corporation +1.416.815.3001 - f
[EMAIL PROTECTED] http://www.securecomputing.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
