Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Aug 1997 16:11:07 +0200
From:      Philippe Regnauld <regnauld@deepo.prosa.dk>
To:        Jeff Aitken <jaitken@aitken.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: post-break-in checklist?
Message-ID:  <19970812161107.40226@deepo.prosa.dk>
In-Reply-To: <199708120324.XAA27102@eagle.aitken.com>; from Jeff Aitken on Mon, Aug 11, 1997 at 11:24:34PM -0400
References:  <199708120324.XAA27102@eagle.aitken.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Jeff Aitken writes:

> As I recall, someone posted a post-breakin-checklist awhile back (I
> seem to think it was Karl Denninger, but I'm not sure).  Anyway, I
> neglected to save a copy of it, and was wondering if anyone had such
> a beast handy.

	Don't have that list handy.  But from experience:

	1) be paranoid.
	2a) take the machine off the network right away
	2b) take it down to single user mode
	3) change all your passwords or close accounts until you can have
	   users change their passwords
	4) find all setuid/setgid binaries and compare against a recent backup
	   (you have a backup, don't you ?) or against another installation/
	   media (the 2nd FreeBSD CD-Rom is perfect for this).  Comparing
	   doesn't just mean size and date, run a checksum (md5) for each.
	   You can hack up a 5 line perl script that will run this for you.
	5) check every binary on your system, even not setuid -- even
	   'ls' can be trapped the next time you run it as root
	6) inspect /etc/inetd.conf for unusual services, like:

        mysh   stream  tcp     nowait  root    /bin/sh

	7) check /etc/hosts.equiv and /root/.rhosts
	8) check the configuration for anything new in the startup
	   scripts
	9) if you're still alive, check the configuration for daemons
	   and servers (named, httpd, sshd, etc...)

	10) recompile a fresh kernel
	11 - bonus) install tripwire, swatch, etc...


-- 
                                                              -- Phil

-[ Philippe Regnauld  /  Systems Administrator  /  regnauld@deepo.prosa.dk ]-
-[ Location.: +55.4N +11.3E        PGP Key: finger regnauld@hotel.prosa.dk ]-



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970812161107.40226>