From owner-freebsd-security Tue Aug 12 07:12:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA23686 for security-outgoing; Tue, 12 Aug 1997 07:12:11 -0700 (PDT) Received: from firewall.ftf.dk (root@[129.142.64.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA23680 for ; Tue, 12 Aug 1997 07:12:06 -0700 (PDT) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id QAA00037; Tue, 12 Aug 1997 16:38:23 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id QAA14102; Tue, 12 Aug 1997 16:13:09 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id QAA18277; Tue, 12 Aug 1997 16:11:07 +0200 (CEST) Message-ID: <19970812161107.40226@deepo.prosa.dk> Date: Tue, 12 Aug 1997 16:11:07 +0200 From: Philippe Regnauld To: Jeff Aitken Cc: freebsd-security@FreeBSD.ORG Subject: Re: post-break-in checklist? References: <199708120324.XAA27102@eagle.aitken.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Main Body X-Mailer: Mutt 0.69 In-Reply-To: <199708120324.XAA27102@eagle.aitken.com>; from Jeff Aitken on Mon, Aug 11, 1997 at 11:24:34PM -0400 X-Operating-System: FreeBSD 2.2.1-RELEASE i386 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jeff Aitken writes: > As I recall, someone posted a post-breakin-checklist awhile back (I > seem to think it was Karl Denninger, but I'm not sure). Anyway, I > neglected to save a copy of it, and was wondering if anyone had such > a beast handy. Don't have that list handy. But from experience: 1) be paranoid. 2a) take the machine off the network right away 2b) take it down to single user mode 3) change all your passwords or close accounts until you can have users change their passwords 4) find all setuid/setgid binaries and compare against a recent backup (you have a backup, don't you ?) or against another installation/ media (the 2nd FreeBSD CD-Rom is perfect for this). Comparing doesn't just mean size and date, run a checksum (md5) for each. You can hack up a 5 line perl script that will run this for you. 5) check every binary on your system, even not setuid -- even 'ls' can be trapped the next time you run it as root 6) inspect /etc/inetd.conf for unusual services, like: mysh stream tcp nowait root /bin/sh 7) check /etc/hosts.equiv and /root/.rhosts 8) check the configuration for anything new in the startup scripts 9) if you're still alive, check the configuration for daemons and servers (named, httpd, sshd, etc...) 10) recompile a fresh kernel 11 - bonus) install tripwire, swatch, etc... -- -- Phil -[ Philippe Regnauld / Systems Administrator / regnauld@deepo.prosa.dk ]- -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]-