Date: Mon, 18 Dec 2000 16:26:12 -0500 (EST) From: Tim McMillen <timcm@umich.edu> To: Raymond Hicks <rayhicks@UU.NET> Cc: "'Jonathan Fosburgh'" <syjef@mail.mdanderson.org>, "'Gerald T. Freymann'" <freymann@eagle.ca>, "'Questions'" <questions@FreeBSD.ORG> Subject: RE: Hacker history file - OUCH Message-ID: <Pine.SOL.4.10.10012181617220.17224-100000@tempest.gpcc.itd.umich.edu> In-Reply-To: <003e01c06937$17914cd0$d7902799@sysenglt112>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Dec 2000, Raymond Hicks wrote: > This is not good information.. the best thing to do is NOT to shut down the > machine.. you may lose vital info if you have in fact been rooted.. you Care to explain that? How would you lose information by halting the machine? Halting it freezes the information in place and gives you chance to do the postmortem analysis with a cleaner slate. Allowing it to run (especially multi user) allows lots of disk writes and a chance to wipe out the information you may need. Everything I've read says you want to preserve the evidence as well as possible by halting and preventing further disk writing. > should however remove your machine from the network... and plug it in to > another blank ethernet hub so as not to fill your logs with interface down > error messages.. > > To postmortem a box is a complex process because you can not be sure that > you have not had any command replacements and rootkits applied to your > box... try to check the integrity of your commands and last change date.. Which seems to me to be another reason to halt the box and mount the disk on another machine ro for analysis. Then you know you are using good tools. But apparently I am missing something, and would be interested in more details. Tim > as well as your $path. If needed replace the commands on your box to be > sure that everything is in fact working correctly.. try getting lsof or > similar proggy like fstat to check files and processes... you will want to > see if there are any other back doors on your machine... comb your logs and > see what you can find there.. hope this gets you started... > > lates > http://bsdvault.net > > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jonathan > Fosburgh > Sent: Monday, December 18, 2000 4:00 PM > To: Tim McMillen > Cc: Gerald T. Freymann; Questions > Subject: Re: Hacker history file - OUCH > > > > > Tim McMillen wrote: > > > > > Do you know for sure it was an intruder? Or was it just one of > > your users? either way that doesn't look good. I'm no security expert, > > but the programs they compiled and ran could easily be backdoors to get in > > easily the next time. It's hard (for me) to tell how bad it is without > > knowing whether they were successful in getting root priveledges. In the > > history file we don't see the output of the command. Nothing he did > > afterwards seems to require root priveledges, but if he had them then > > those programs could easily be backdoors. I would consider the box > > compromised. Is it still in use? The best way to get the most > > information about an attack is to shutdown and halt the machine ASAP. > > Then mount everything read only (perhaps on another machine. Then look > > araound. That way you won't overwrite possible clues. Any disk access > > after the intruder is there can overwrite that, and that is bad for > > evidence. > > You may want to contact the administrators at the sites he ftp'd > > to to alert them and see if they can tell what those files were that he > > downloaded. > > > > Tim > > The results of the su ought to be in /var/log/messages. Especially the > one to toor. You should either see a success or failure message. Of > course, he can only su to toor if the user he was in as is in group wheel. > > -- > Jonathan Fosburgh > Open Systems > Communications and Computer Services > UT MD Anderson Cancer Center > Houston, TX > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.10.10012181617220.17224-100000>