Re: Compromised system - still ok?
In article <[EMAIL PROTECTED]> you wrote: >> - for forensics.. use a good cd or build a custom disk >> with with lot of fun forensics on it and fiddle till one finds >> all the answers :-0 > > Make sure that you don't do forensics on the original image. Investigating > the situation may require running fsck etc which changes things. And talking about forensics: use "script" to generate a complete typescript of your forensics session. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Monday 07 February 2005 14:43, Alvin Oga <[EMAIL PROTECTED]> wrote: > > No, you make an image, reinstall, and if you have time (ie. you normally > > dont) then you can start the forensics. > > yes about making an image ... i assume you mean > - take the box down, > - i hate taking the box down, as you can lose > valuable info in its memory Unless you have special hardware installed it's impossible to take a memory image of a running machine. There are PCI cards available which use bus-mastering to copy the memory of a live machine for forensics, but they are expensive and would have to be installed before the machine was cracked. Inspecting the memory of a running machine that has been properly cracked is a problem as it may be obscured by a kernel module. Most people recommend abruptly cutting the power to a machine that may have been compromised. That prevents unlinking files that have no links but which were in use at the time. A shutdown process will give a consistent file system (losing data from temporary files) and may also lose other data. > - i'd "re-install" into a new disk and leave the cracked one alone > ( disks are super cheap ) > - i would not reinstall on the cracked disk > as it can have hidden filesystems How would hidden filesystems work? Some name-brand machines (particularly laptops) have a BIOS extension stored on an IDE hard disk which apparently has some reserved disk space. It seems that my Thinkpad had something like this, but now that I'm running 2.6.10 Linux sees all the disk space which would allow me to increase my Linux use by 3.4G which would overwrite the Thinkpad stuff. Once Linux is using all the space there's no-where to hide. Assuming that you use all your disk space then hidden file systems shouldn't be an issue. However it may be good to keep the disk anyway for evidence purposes. Data on original disk may be better regarded than data on a DVD if the case ever comes to court. > - for forensics.. use a good cd or build a custom disk > with with lot of fun forensics on it and fiddle till one finds > all the answers :-0 Make sure that you don't do forensics on the original image. Investigating the situation may require running fsck etc which changes things. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok? - doorstep
hi ya On Mon, 7 Feb 2005, James Renken wrote: .. > The summary in legal terms: contributory negligence is not a defense to an > intentional (or reckless) tort. The first major case I found with an > offhand search is: > > Schellhouse v. Norfolk & W. Ry. Co., 575 N.E.2d 453, 456 (Ohio 1991) thanx... > Hope this helps. :) The largest problem, I think, would be identifying the > intruder with enough certainty to sue them. it'd be fun to have the cops show up on the cracker's doorstep while they're in the cracked servers along the way at the time and the victim's servers - makes it a whole lot easier c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Mon, Feb 07, 2005 at 07:26:43PM +0100, Milan P. Stanic wrote: > On Mon, Feb 07, 2005 at 06:25:19PM +1100, Matthew Palmer wrote: > > Obviously you've never done this. Good luck finding someone who even knows > > what TCP/IP is, let alone sufficient knowledge to be able to track a cracker > > in real time with no warning. > > How smart they are can be seen at: > http://www.boingboing.net/2005/01/27/jailed_for_using_a_n.html > > In short: A man used lynx to donate to tsunami victims but webmaster > at british telekom called the police and the charitable man is > arrested. > > I don't know should I cry or should I laugh. I'd suggest verifying the story, first. The BBC story which is commonly referenced doesn't actually mention the use of lynx, and attempts by people in the UK to actually find the real source of the story have (to the best of my knowledge) proven fruitless. - Matt signature.asc Description: Digital signature
Re: Compromised system - still ok?
On Mon, Feb 07, 2005 at 06:25:19PM +1100, Matthew Palmer wrote: > Obviously you've never done this. Good luck finding someone who even knows > what TCP/IP is, let alone sufficient knowledge to be able to track a cracker > in real time with no warning. How smart they are can be seen at: http://www.boingboing.net/2005/01/27/jailed_for_using_a_n.html In short: A man used lynx to donate to tsunami victims but webmaster at british telekom called the police and the charitable man is arrested. I don't know should I cry or should I laugh. signature.asc Description: Digital signature
Re: Compromised system - still ok?
On Mon, Feb 07, 2005 at 06:32:12PM +0200, Ognyan Kulev wrote: He said that after signed Fedora package is installed (by default, only signed packages are installed), you can boot from some CD and then check signatures of each file of each package. Thus, only having key Red Hat's fingerprint, you can check your all installed packages. What I'm asking is if this is possible with dpkg-sig? If not, I think it's desirable feature. No it's not. The redhat approach misses the boat on what is probably the largest part of your installation--your data & configuration files. Use something like aide or tripwire to validate your installation. Another thing he doesn't like is that check is based on signed MD5 hash of content instead of based on signed content. Is it true that signed MD5 is weaker than signed content? No. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Mon, Feb 07, 2005 at 06:32:12PM +0200, Ognyan Kulev wrote: > Another thing he doesn't like is that check is based on signed MD5 hash of > content instead of based on signed content. Is it true that signed MD5 is > weaker than signed content? assymetric crypto ops are very slow, so you wouldn't want to do them on the whole content (signature would be the same order of size as teh content too..). so you always sign a message digest. you would want to choose a better one than md5 though (sha1 for example), but that's a trivial change cu robert -- Robert Lemmen http://www.semistable.com signature.asc Description: Digital signature
Re: Compromised system - still ok?
Geoff Crompton wrote: So can you be really sure that there was no root kit that succesfully exploited your system? Have you rebooted off a trusted kernel, and cryptographically checked every single file involved in booting? (Such as the grub/lilo, kernel, all modules, init), and visually or cryptographically checked all the rc.* files and /etc/inittab? Of course, doing all this might mean that you avoid booting the rootkit next time. But it could still be on the disk, waiting for when the attacker tries to return! A friend of mine is fan of Red Hat. He regularly laughs at Debian because package content is not signed so I got interested in these matters. I became aware of secure apt and dpkg-sig. He said that after signed Fedora package is installed (by default, only signed packages are installed), you can boot from some CD and then check signatures of each file of each package. Thus, only having key Red Hat's fingerprint, you can check your all installed packages. What I'm asking is if this is possible with dpkg-sig? If not, I think it's desirable feature. I didn't find the answer in http://dpkg-sig.turmzimmer.net/faq.html -- "dpkg-sig is _very_ interesting for those of us who want to know where a package went, and when." Verifying files of already installed package is not mentioned. Another thing he doesn't like is that check is based on signed MD5 hash of content instead of based on signed content. Is it true that signed MD5 is weaker than signed content? Regards, ogi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 6 Feb 2005, Scott Edwards wrote: > 1. Your box gets compromised > 2. You sue them > 3. And then collect damages > > You'll quickly loose a case if there is any demonstration of > negligence (that tail between your legs about the backup account - > yea, you know, but didn't act. that's enough negligence to blow the > case) (Standard disclaimer: I am a law student, not a lawyer, and I cannot provide legal advice. This is my opinion only, and should not be relied on for any purpose. Seek professional advice.) I'm fairly sure that this wouldn't be a problem if you decided to sue an intruder. You're right that in many cases, the person you're suing can introduce evidence of your own negligence in order to get the case thrown out, but this doesn't apply in cases like this where the defendant's act was intentional. The summary in legal terms: contributory negligence is not a defense to an intentional (or reckless) tort. The first major case I found with an offhand search is: Schellhouse v. Norfolk & W. Ry. Co., 575 N.E.2d 453, 456 (Ohio 1991) This might vary from state to state, but the principle makes enough sense that it's probably standard. I am, of course, assuming U.S. law here. Hope this helps. :) The largest problem, I think, would be identifying the intruder with enough certainty to sue them. - -- James Renken, System Administrator [EMAIL PROTECTED] Sandwich.Net Internet Services http://www.sandwich.net/ 1-877-HUBWICH -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFCB3SKqV3dP0gp4AQRAnMZAJiokNionBGwLBWcOR492kgxtqJIAJ9oVT8A VI4qsuvp5JLU/uzem7MvBA== =GtGZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Mon, 7 Feb 2005, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > >- works great across the usa, even if the cracked > >box they came from was offshore, they can trace it > >back to somebody's bedroom or colo > > is that first hand knowledge or just some usual urband legend? first hand only ... with tons of paperwork and emails and phone .. and supposedly not so happy isp's being "forced" to cooperate and trace the crackers down if i was the isp, i'd be happy to get some script kiddies and more threatening folks off the wire vs letting um roam freely c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article <[EMAIL PROTECTED]> you wrote: >- works great across the usa, even if the cracked >box they came from was offshore, they can trace it >back to somebody's bedroom or colo is that first hand knowledge or just some usual urband legend? Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article <[EMAIL PROTECTED]> you wrote: > I co-administer a system with ~ 250 users, a significant part of them I > don't know very well personally, and really, I don't rule out some of > them might try to do some cracking, of, more likely, has such a shoddy > password policy or infected windows system that their account will be > used to. > > Should I now reinstall these systems daily? Well, the problem is of course root compromise. However, on such a system, break-ins are very likely and you better do checks regularly. This is to protect your users. > In both my case, and the thread starter's case, a normal user account > might or was definitely in the hands of someone malicious. In both > cases, no evidence whatsoever was there that there was even an attempt > at becoming root. Then a re-install might not be needed. At least if you can explain how the user account could have been compromised. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Mon, Feb 07, 2005 at 12:35:45AM +0100, martin f krafft wrote: > Once an attacker is on the system, you cannot be sure anymore that > you can track his/her actions down. Sophisticated root kits exist to > cover all (!) traces. I co-administer a system with ~ 250 users, a significant part of them I don't know very well personally, and really, I don't rule out some of them might try to do some cracking, of, more likely, has such a shoddy password policy or infected windows system that their account will be used to. Should I now reinstall these systems daily? I see not much difference, except that in this case, there really was someone with evil intentions on an account, but as said already in this thread, what you see is only part of what happens. Especially on a busy multiuser system, suspected activity might go unnoticed. In both my case, and the thread starter's case, a normal user account might or was definitely in the hands of someone malicious. In both cases, no evidence whatsoever was there that there was even an attempt at becoming root. My point was and is, user account != root. Any such hole is would be dangerous, but if you cannot somewhat reasonably assume this, you are only paranoidedly going to reinstall systems over and over again. My final remark in this thread about this specific case: If it was merely a backup MX, indeed, just reinstall, as the only valuable thing was probably the mail queue (harmless) and the mail config (probably trivial or at least trivally checkeable). If you reboot from CD-ROM and fdisk & mkfs the harddisk from start, all this hidden files in filesystems etc is just FUD. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl
Re: Compromised system - still ok?
> "Matthew" == Matthew Palmer <[EMAIL PROTECTED]> writes: Matthew> I have reported intruders to the relevant authorities in Matthew> the past, and have encountered an apathy field the size Matthew> of a small continent. The only way they will even Well, I think it may depend on which country you're in. We had an incedent a while ago that was reported to the police (Norway). They were interested, took the machine in, copied the disk, etc. Whether this is due to the fact we are a government organisation or the Norwegian authorities are more interested than other countries' I'm uncertain. I would suggest at least contacting your local authorities before assuming they are apathetic. Sincerely, Adrian Phillips -- Who really wrote the works of William Shakespeare ? http://www.pbs.org/wgbh/pages/frontline/shakespeare/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Sun, Feb 06, 2005 at 11:53:50PM -0800, Alvin Oga wrote: don't accuse others ( me ) of what you haven't done yourself, or dont want to do, as it only makes you look like the script kiddie If anyone in this thread sounds like a kiddie it's you. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok? - let it go
hi ya matt On Mon, 7 Feb 2005, Matthew Palmer wrote: > Three step program for you, bub. > > 1) Place your feet on your shoulders; > 2) Push hard; > 3) Take your first breath of arse-free air in a long time. sounds like you should do the same ... or more like too late for you > I have reported intruders to the relevant authorities in the past, and that'd depnd on you and them to do something > can't imagine they'd be even vaguely interested in some two-bit penetration. yup.. until something happens that is a problem for them ... in which case they jump and do something fast .. like i said, don't accuse others of having the same failures as you did or didn't even try yourself - not everybody fails .. and these script kiddies and cracker coders beat ya since you don't know what to do with um == isn't it enough of this ... there's better things to do - you have your ways to deal with it - others have theirs, and "your experiences" is not the same for others c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Sun, Feb 06, 2005 at 11:53:50PM -0800, Alvin Oga wrote: > > On Mon, 7 Feb 2005, Matthew Palmer wrote: > > > On Sun, Feb 06, 2005 at 10:52:50PM -0800, Alvin Oga wrote: > > > it's best when you can call the fbi (on the phone) and say, they're > > > back, trace um "NOW" > > > > Obviously you've never done this. > > and obviously you seem too lazy to catch the cracker ?? > > don't accuse others ( me ) of what you haven't done yourself, > or dont want to do, as it only makes you look like the script kiddie Three step program for you, bub. 1) Place your feet on your shoulders; 2) Push hard; 3) Take your first breath of arse-free air in a long time. I have reported intruders to the relevant authorities in the past, and have encountered an apathy field the size of a small continent. The only way they will even vaguely give a damn is there is easily demonstrated loss of a significant amount. They've got bigger fish to fry. Considering that there are 100,000 node botnets running around capable of bringing more or less any website in existence to it's knees, and the Feds seem in no hurry to bring those down, nor to do an awful lot to stop the infection at it's source, I can't imagine they'd be even vaguely interested in some two-bit penetration. - Matt signature.asc Description: Digital signature
Re: Compromised system - still ok?
On Mon, 7 Feb 2005, Matthew Palmer wrote: > On Sun, Feb 06, 2005 at 10:52:50PM -0800, Alvin Oga wrote: > > it's best when you can call the fbi (on the phone) and say, they're > > back, trace um "NOW" > > Obviously you've never done this. and obviously you seem too lazy to catch the cracker ?? don't accuse others ( me ) of what you haven't done yourself, or dont want to do, as it only makes you look like the script kiddie - let me know what you want me to catch your crackers .. part of the fun .. everybody has different priorities of what to do before, during and after.. c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
> On Sun, Feb 06, 2005 at 10:52:50PM -0800, Alvin Oga wrote: >> it's best when you can call the fbi (on the phone) and say, they're >> back, trace um "NOW" > > Obviously you've never done this. Good luck finding someone who even > knows what TCP/IP is, let alone sufficient knowledge to be able to track a > cracker in real time with no warning. > > - Matt > And a cracker not connected to their systems, that is. Seriously, what are they to trace ? Where the IP is located ? That's obviously something you can do yourself. And then you'd still need to file a complaint to have someone get in touch with the ISP/organization. This takes time. And what if your cracker used an unprotected WiFi network, public library or university computer, ... ? Regards, Roger -- Under capitalism, man exploits man. Under communism, it's just the opposite. J.K.Galbraith -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Sun, Feb 06, 2005 at 10:52:50PM -0800, Alvin Oga wrote: > it's best when you can call the fbi (on the phone) and say, they're > back, trace um "NOW" Obviously you've never done this. Good luck finding someone who even knows what TCP/IP is, let alone sufficient knowledge to be able to track a cracker in real time with no warning. - Matt signature.asc Description: Digital signature
Re: Compromised system - still ok?
On Sun, 6 Feb 2005, Scott Edwards wrote: > You'll want to evaluate the time and resources you'll consume, and to > what end. Even in high profile cases, you have to do even more work > to collect the damages awarded. It's like a triple whammy: > > 1. Your box gets compromised > 2. You sue them > 3. And then collect damages collecting is non trivial .. nor is the process of filing suits however, if you got the fbi or local computer crime boyz involved, they can usually scare the pants off of the crackers, by showing up on their doorstep and taking away all their toys ( pc, routers ) - works great across the usa, even if the cracked box they came from was offshore, they can trace it back to somebody's bedroom or colo i think the fed's get involved if you can show that cracker came from the fed's machines :-) and/or if the damages exceeds a particular amount, which seems very victim friendly, which in the case of a "security" breach is fairly easy to reach in losses and more than likely, they're already tracking that cracker it's best when you can call the fbi (on the phone) and say, they're back, trace um "NOW" c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
You'll want to evaluate the time and resources you'll consume, and to what end. Even in high profile cases, you have to do even more work to collect the damages awarded. It's like a triple whammy: 1. Your box gets compromised 2. You sue them 3. And then collect damages You'll quickly loose a case if there is any demonstration of negligence (that tail between your legs about the backup account - yea, you know, but didn't act. that's enough negligence to blow the case) All my comments are my own. Don't hesitate to seek professional counsel. Thanks, Scott Edwards Daxal Communications - http://www.daxal.com/ > after small or big cracking, one always have to make time, and > take more preventative measures vs spending time on forensics > unless you wanna lock um up :-) > > fun stuff > > c ya > alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Mon, 7 Feb 2005, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > you can reinstall AFTER you can answer all the above questions > > or give up and give the point ot the script kiddie cracker > > No, you make an image, reinstall, and if you have time (ie. you normally > dont) then you can start the forensics. yes about making an image ... i assume you mean - take the box down, - i hate taking the box down, as you can lose valuable info in its memory - i'd "re-install" into a new disk and leave the cracked one alone ( disks are super cheap ) - i would not reinstall on the cracked disk as it can have hidden filesystems - for forensics.. use a good cd or build a custom disk with with lot of fun forensics on it and fiddle till one finds all the answers :-0 after small or big cracking, one always have to make time, and take more preventative measures vs spending time on forensics unless you wanna lock um up :-) fun stuff c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article <[EMAIL PROTECTED]> you wrote: > you can reinstall AFTER you can answer all the above questions > or give up and give the point ot the script kiddie cracker No, you make an image, reinstall, and if you have time (ie. you normally dont) then you can start the forensics. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
Some interesting points raised by Alvin. On the other hand, run rkhunter after updating its lists & chkrootrit. See what they have to say about your system, but also watch out for false positives due to back-ported security patches (mostly for openssl, ssh, ..) in Debian. (step 1) If the machine is not critical, given the fact that you seem to have noticed the compromise rather early on and that your firewall blocked traffic to the telnetserver, you could invest some extra time in checking md5sums of important files (again rkhunter & chkrootkit can help a bit here ), close the security hole and reboot to your new kernel. But before doing so, check your logfiles. Are you missing information for some days from a while ago? Or missing complete logfiles/days? Probably the attacker(s) had access to the box before - and long before you noticed - so they concealed their traces, and then you should go to step 2 without hesitation. Watch for suspicious traffic going to and from the box for a while, then forget about it. (step 2) If the machine is really important or serving important data, check the integrity of the data, back it up and take no chances but reinstall the box from scratch. Good luck. Roger -- Under capitalism, man exploits man. Under communism, it's just the opposite. J.K.Galbraith > > > On Mon, 7 Feb 2005, Geoff Crompton wrote: > >> >>You were rooted, you should reinstall. It's not worth risking that he >> >>left something that you didn't find. > > > "reinstalling" is the equivalent of a "script kiddie" and probably lower > in skill level of the script kiddie > > > see below for reasons if one cares > >> > I see no evidence at all of being rooted, or even hints thereto. Yes, >> > the backup account was compromized. It looks like there were quite >> some >> > security measures in place, try to look hard for any attempt to kernel >> > exploit or otherwise local exploit, and think about what files this >> > backup account had access to. Of course, importance of the system >> > matters too, if you were the NSA or something, I'd definitely >> reinstall, >> > however, if you're not THAT paranoid, I think you can do with locking >> > down backup account, checking all files writeable by backup (all files >> > with recent ctime?), and places like /var/tmp, /tmp, etc. > > nsa and other 3-letter agencies will probably find out: > - where the cracker came from > - what else the cracker did on the suspect box > - what other machines the cracker tried to access inside the > network and what other files were changed on other servers > - how they got in and repoduce how they got in > - come to your door step and serve a warrant if > one broke into a "secret" machine > - are there automated jobs that run at fixed times or > whenver you do something > > - how long have they been in the system before you noticed > and sometimes they are in there for weeks or months before > you start to notice because they started to use the cracked box > > - is the backup clean or is it suspect too > > - what files the cracker changed > - what files the cracker added > - .. on and on .. > > you can reinstall AFTER you can answer all the above questions > or give up and give the point ot the script kiddie cracker > > resinstalling is bad because .. > - you donno how they got in and they can get back in > the same way again, and the 2nd time, they'd probably be > less friendly > > - most crackers are not malicious and just wanna prove something > to themself or their buddies > > - reinstalling and cleanup after a cracked box is very painful > and can take days weeks of cleanup whether you reinstall or not > > - reinstallng does NOT clean up the other machines the > cracker could have used .. ( esp passwordless login systems > where they have free access to everything ) > > - reinstalling is bad because you didn't check your backups > before restoring, and for all you know, you can be restoring > their trojan that will wake up one day again in the future > > - if you didn't change your normal computer usage after the > breakin, they will be back again > > - thousands of "best practices" security rules and policies > to follow or not depending on ones paranoia or risk of something > might happen vs the obvious required time/steps needed to protect > against those possible crack attempts > >> Unless the evidence of being rooted was hidden. This can be done with >> * replacing system binaries, so that, for instance, /bin/ls does not >> list the root kit files, and that /bin/ps does not display the rootkit > > those are trivial to check and verify .. few minutes > > one keeps a copy of all files and directories on another media ( cdrom ) > - anything that shows up different is new file since the > "md5sum was
Re: Compromised system - still ok?
On Mon, 7 Feb 2005, Geoff Crompton wrote: > >>You were rooted, you should reinstall. It's not worth risking that he > >>left something that you didn't find. "reinstalling" is the equivalent of a "script kiddie" and probably lower in skill level of the script kiddie see below for reasons if one cares > > I see no evidence at all of being rooted, or even hints thereto. Yes, > > the backup account was compromized. It looks like there were quite some > > security measures in place, try to look hard for any attempt to kernel > > exploit or otherwise local exploit, and think about what files this > > backup account had access to. Of course, importance of the system > > matters too, if you were the NSA or something, I'd definitely reinstall, > > however, if you're not THAT paranoid, I think you can do with locking > > down backup account, checking all files writeable by backup (all files > > with recent ctime?), and places like /var/tmp, /tmp, etc. nsa and other 3-letter agencies will probably find out: - where the cracker came from - what else the cracker did on the suspect box - what other machines the cracker tried to access inside the network and what other files were changed on other servers - how they got in and repoduce how they got in - come to your door step and serve a warrant if one broke into a "secret" machine - are there automated jobs that run at fixed times or whenver you do something - how long have they been in the system before you noticed and sometimes they are in there for weeks or months before you start to notice because they started to use the cracked box - is the backup clean or is it suspect too - what files the cracker changed - what files the cracker added - .. on and on .. you can reinstall AFTER you can answer all the above questions or give up and give the point ot the script kiddie cracker resinstalling is bad because .. - you donno how they got in and they can get back in the same way again, and the 2nd time, they'd probably be less friendly - most crackers are not malicious and just wanna prove something to themself or their buddies - reinstalling and cleanup after a cracked box is very painful and can take days weeks of cleanup whether you reinstall or not - reinstallng does NOT clean up the other machines the cracker could have used .. ( esp passwordless login systems where they have free access to everything ) - reinstalling is bad because you didn't check your backups before restoring, and for all you know, you can be restoring their trojan that will wake up one day again in the future - if you didn't change your normal computer usage after the breakin, they will be back again - thousands of "best practices" security rules and policies to follow or not depending on ones paranoia or risk of something might happen vs the obvious required time/steps needed to protect against those possible crack attempts > Unless the evidence of being rooted was hidden. This can be done with > * replacing system binaries, so that, for instance, /bin/ls does not > list the root kit files, and that /bin/ps does not display the rootkit those are trivial to check and verify .. few minutes one keeps a copy of all files and directories on another media ( cdrom ) - anything that shows up different is new file since the "md5sum was done" or its the cracker files - if you upgrade daily .. you're sorta assuming a few things, like you don't know or care that certain files changed on certain days or hopefulling logging it but how do you know it was changed due to update vs cracker got in and also got its files in your "these are my changes for today" checksums > * replacing kernel (or modules) so that process information relating to > the root kit is hidden, and files are hidden most rootkits leaves traces .. though it's getting better at hiding > * hiding the root kit files in 'empty' spaces on the filesystem, (ie, > where no inodes are pointing to) > * hiding the root kit files in the filesystem (amongs other files, a > little bit in each inode maybe?) ideal places for those is using the extra buytes of /etc/hosts /etc/resolv.conf /etc/hosts.conf /etc/passwd ( small files, where lots of unused bytes is available ) if they have hidden their stuff inside a secret filesystem of unused disk space... you need professional 3-letter help ... - reinstalling will not help you, as they probably outclass your/our security policies and a more likely scarier problem, is they installed a keyboard sniffer ( quietly sniffing all your passwds ) - do you login each time or do you login only
Re: Compromised system - still ok?
Jeroen van Wolffelaar wrote: On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote: On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller <[EMAIL PROTECTED]> wrote: I'm considering taking it back online with a 2.4.29-grsec-hi, what do you guys think? You were rooted, you should reinstall. It's not worth risking that he left something that you didn't find. I see no evidence at all of being rooted, or even hints thereto. Yes, the backup account was compromized. It looks like there were quite some security measures in place, try to look hard for any attempt to kernel exploit or otherwise local exploit, and think about what files this backup account had access to. Of course, importance of the system matters too, if you were the NSA or something, I'd definitely reinstall, however, if you're not THAT paranoid, I think you can do with locking down backup account, checking all files writeable by backup (all files with recent ctime?), and places like /var/tmp, /tmp, etc. --Jeroen Unless the evidence of being rooted was hidden. This can be done with * replacing system binaries, so that, for instance, /bin/ls does not list the root kit files, and that /bin/ps does not display the rootkit * replacing kernel (or modules) so that process information relating to the root kit is hidden, and files are hidden * hiding the root kit files in 'empty' spaces on the filesystem, (ie, where no inodes are pointing to) * hiding the root kit files in the filesystem (amongs other files, a little bit in each inode maybe?) So can you be really sure that there was no root kit that succesfully exploited your system? Have you rebooted off a trusted kernel, and cryptographically checked every single file involved in booting? (Such as the grub/lilo, kernel, all modules, init), and visually or cryptographically checked all the rc.* files and /etc/inittab? Of course, doing all this might mean that you avoid booting the rootkit next time. But it could still be on the disk, waiting for when the attacker tries to return! Yes, if the system is not important, you might not bother re-installing it. However in my (fairly recent experience), it was _easier_ to reinstall than it was to check all those things. -- Geoff Crompton Debian System Administrator Strategic Data +61 3 9340 9000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
also sprach Jeroen van Wolffelaar <[EMAIL PROTECTED]> [2005.02.07.0022 +0100]: > however, if you're not THAT paranoid, I think you can do with > locking down backup account, checking all files writeable by > backup (all files with recent ctime?), and places like /var/tmp, > /tmp, etc. Once an attacker is on the system, you cannot be sure anymore that you can track his/her actions down. Sophisticated root kits exist to cover all (!) traces. You can put another box in front of the suspect one and check whether any unexpected traffic flows. Use snort. Do that for an extended period of time. If you see anything suspicious, investigate, but don't hesitate. I would simply reinstall. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Compromised system - still ok?
On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote: > On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller > <[EMAIL PROTECTED]> wrote: > > I'm considering taking it back online with a 2.4.29-grsec-hi, what do > > you guys think? > > You were rooted, you should reinstall. It's not worth risking that he > left something that you didn't find. I see no evidence at all of being rooted, or even hints thereto. Yes, the backup account was compromized. It looks like there were quite some security measures in place, try to look hard for any attempt to kernel exploit or otherwise local exploit, and think about what files this backup account had access to. Of course, importance of the system matters too, if you were the NSA or something, I'd definitely reinstall, however, if you're not THAT paranoid, I think you can do with locking down backup account, checking all files writeable by backup (all files with recent ctime?), and places like /var/tmp, /tmp, etc. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
Sounds like you need to read the cert.org article on how to respond to system intrusions. See http://www.cert.org/security-improvement/modules/m06.html. Good luck, Scott Edwards http://www.daxal.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller <[EMAIL PROTECTED]> wrote: > I'm considering taking it back online with a 2.4.29-grsec-hi, what do > you guys think? You were rooted, you should reinstall. It's not worth risking that he left something that you didn't find. -- Michael A. Marsh http://www.umiacs.umd.edu/~mmarsh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]