Date: Mon, 18 Dec 2000 17:22:50 -0500 (EST) From: Tim McMillen <timcm@umich.edu> To: freebsd-questions@freebsd.org Subject: RE: Hacker history file - OUCH (fwd) Message-ID: <Pine.SOL.4.10.10012181717010.17224-100000@tempest.gpcc.itd.umich.edu>
next in thread | raw e-mail | index | archive | help
On Mon, 18 Dec 2000, Raymond Hicks wrote: > it is a beter practice to make a full copy and examine that then mess with > the original box to keep system integrity.. > > you may still have the opportunity to catch someone in the act if you do not > shut the box down.. also there is a chance that halting the system might > remove or change some inforation depending on the rootkit installed.. for > example.. the root kit i use most often replaces shutdown procedure and > rebbot proc to remove log files, alter process states, and hide all > relevent messagees from all users.. reboot does similar .. this is the Yes, well I had never thought of that. That would be a very powerful and scary root kit. But if your box is compromised that badly then you've got worse problems. By the same logic though, how would you make a full copy? Those tools could be replaced too, and do you do it on a live system, that would access the drive a lot and you may lose stuff. If you're worried about a rootkit as bad as yours it would seem to be better to yank the power plug and risk the damage that that would cause. Now trying to catch someone in the act is the complete other path to security and has it's benefits. It's more altruistic in that you may help catch them. I guess I would try both. Try removing one machine and avoiding all writes to its disks and keep another box up to let them keep working, to hopefully catch them later. Or once you've taken the disk out, mount it ro and copy it entirely and put it back up. Then you would have static data to analyze and dynamic. > reason for my response.. did not mean to offend anyone or step on any toes. Absolutely no offense taken here. I was just going on what I'd read. It could be wrong and the info you provided was good. I always try to pass on as correct info as I can, and was worried I was way off base. Thanks for the enlightenment. Is that a readily available root kit or did you write it yourself? I guess I can't imagine benign uses for rootkits except learning how to protect oneself from them. Maybe you should post what you wrote above so that everyone will have that info. I didn't want to cc my reply to the list without your permission, I find that rude. Thanks, Tim Raymond also followed that up with: sure pass it on.. and the root kit is developed by some guy in brasil ... where most dangersous ones seem to come from... I had considered posting it however due to process of aquisition (box at work got rooted) .. UUnet prohibits me from passing on this type of software.. I am writing total definition of rootkit described and samples of code to be used if anyone actually wants the code... it will be posted at my website.. http://bsdvault.net lates raymond hicks > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Tim McMillen > Sent: Monday, December 18, 2000 4:26 PM > To: Raymond Hicks > Cc: 'Jonathan Fosburgh'; 'Gerald T. Freymann'; 'Questions' > Subject: RE: Hacker history file - OUCH > > > > > On Mon, 18 Dec 2000, Raymond Hicks wrote: > > > This is not good information.. the best thing to do is NOT to shut down > the > > machine.. you may lose vital info if you have in fact been rooted.. you > > Care to explain that? How would you lose information by halting > the machine? Halting it freezes the information in place and gives you > chance to do the postmortem analysis with a cleaner slate. Allowing it to > run (especially multi user) allows lots of disk writes and a chance to > wipe out the information you may need. Everything I've read says you want > to preserve the evidence as well as possible by halting and preventing > further disk writing. > > > should however remove your machine from the network... and plug it in to > > another blank ethernet hub so as not to fill your logs with interface down > > error messages.. > > > > To postmortem a box is a complex process because you can not be sure that > > you have not had any command replacements and rootkits applied to your > > box... try to check the integrity of your commands and last change date.. > > Which seems to me to be another reason to halt the box and mount > the disk on another machine ro for analysis. Then you know you are using > good tools. But apparently I am missing something, and would be > interested in more details. > > > Tim > > > > > > as well as your $path. If needed replace the commands on your box to be > > sure that everything is in fact working correctly.. try getting lsof or > > similar proggy like fstat to check files and processes... you will want > to > > see if there are any other back doors on your machine... comb your logs > and > > see what you can find there.. hope this gets you started... > > > > lates > > http://bsdvault.net > > > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jonathan > > Fosburgh > > Sent: Monday, December 18, 2000 4:00 PM > > To: Tim McMillen > > Cc: Gerald T. Freymann; Questions > > Subject: Re: Hacker history file - OUCH > > > > > > > > > > Tim McMillen wrote: > > > > > > > > Do you know for sure it was an intruder? Or was it just one of > > > your users? either way that doesn't look good. I'm no security expert, > > > but the programs they compiled and ran could easily be backdoors to get > in > > > easily the next time. It's hard (for me) to tell how bad it is without > > > knowing whether they were successful in getting root priveledges. In > the > > > history file we don't see the output of the command. Nothing he did > > > afterwards seems to require root priveledges, but if he had them then > > > those programs could easily be backdoors. I would consider the box > > > compromised. Is it still in use? The best way to get the most > > > information about an attack is to shutdown and halt the machine ASAP. > > > Then mount everything read only (perhaps on another machine. Then look > > > araound. That way you won't overwrite possible clues. Any disk access > > > after the intruder is there can overwrite that, and that is bad for > > > evidence. > > > You may want to contact the administrators at the sites he ftp'd > > > to to alert them and see if they can tell what those files were that he > > > downloaded. > > > > > > Tim > > > > The results of the su ought to be in /var/log/messages. Especially the > > one to toor. You should either see a success or failure message. Of > > course, he can only su to toor if the user he was in as is in group wheel. > > > > -- > > Jonathan Fosburgh > > Open Systems > > Communications and Computer Services > > UT MD Anderson Cancer Center > > Houston, TX > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.10.10012181717010.17224-100000>