Date: Mon, 18 Dec 2000 16:11:29 -0500 From: "Raymond Hicks" <rayhicks@UU.NET> To: "'Jonathan Fosburgh'" <syjef@mail.mdanderson.org>, "'Tim McMillen'" <timcm@umich.edu> Cc: "'Gerald T. Freymann'" <freymann@eagle.ca>, "'Questions'" <questions@FreeBSD.ORG> Subject: RE: Hacker history file - OUCH Message-ID: <003e01c06937$17914cd0$d7902799@sysenglt112> In-Reply-To: <3A3E7AC9.40306@mail.mdanderson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is not good information.. the best thing to do is NOT to shut down the machine.. you may lose vital info if you have in fact been rooted.. you should however remove your machine from the network... and plug it in to another blank ethernet hub so as not to fill your logs with interface down error messages.. To postmortem a box is a complex process because you can not be sure that you have not had any command replacements and rootkits applied to your box... try to check the integrity of your commands and last change date.. as well as your $path. If needed replace the commands on your box to be sure that everything is in fact working correctly.. try getting lsof or similar proggy like fstat to check files and processes... you will want to see if there are any other back doors on your machine... comb your logs and see what you can find there.. hope this gets you started... lates http://bsdvault.net -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jonathan Fosburgh Sent: Monday, December 18, 2000 4:00 PM To: Tim McMillen Cc: Gerald T. Freymann; Questions Subject: Re: Hacker history file - OUCH Tim McMillen wrote: > > Do you know for sure it was an intruder? Or was it just one of > your users? either way that doesn't look good. I'm no security expert, > but the programs they compiled and ran could easily be backdoors to get in > easily the next time. It's hard (for me) to tell how bad it is without > knowing whether they were successful in getting root priveledges. In the > history file we don't see the output of the command. Nothing he did > afterwards seems to require root priveledges, but if he had them then > those programs could easily be backdoors. I would consider the box > compromised. Is it still in use? The best way to get the most > information about an attack is to shutdown and halt the machine ASAP. > Then mount everything read only (perhaps on another machine. Then look > araound. That way you won't overwrite possible clues. Any disk access > after the intruder is there can overwrite that, and that is bad for > evidence. > You may want to contact the administrators at the sites he ftp'd > to to alert them and see if they can tell what those files were that he > downloaded. > > Tim The results of the su ought to be in /var/log/messages. Especially the one to toor. You should either see a success or failure message. Of course, he can only su to toor if the user he was in as is in group wheel. -- Jonathan Fosburgh Open Systems Communications and Computer Services UT MD Anderson Cancer Center Houston, TX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003e01c06937$17914cd0$d7902799>