Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OK, I've been hacked, now what?

From: Antonomasia <ant () notatla demon co uk>
Date: Fri, 2 Apr 1999 14:52:34 +0100
From: sedwards () sedwards com


Yes it's true, one of my client's web page was hacked. The attack
occurred on March 27.



Here's the text of the page he left:



      "This Page was hacked by Homicide :P cause .. I was bored hehe
      well anyways ph34r the Blue Candy Bar and this ones for u Lina (:


      [detective story snipped]


1) What should I do now?


      dd those disks to tape and deposit them somewhere safe

      See if you can persuade the immediate source of the attack to do
      likewise and to send you a copy of the period in question.

      See how much interest either of you can get from the police.

      Estimate the cost of the incident (when considered finished).
      Actually I'd like to know too since you've been kind enough to
      talk about it.

      Send the whole story to cert.


2) What should I have done differently?


     You mentioned NFS, X and a list of setuid files.   In the servers
     I'm building at the moment there are 3 files setuid (passwd, expiry,
     suexec) and none setgid.
     I started by planning disk partitions.  If all 3 SUIDs are in /usr then
     /usr will be mounted ro and everything else will be mounted nosuid.
     I put no writable directories on the / fs.


3) What should I do to reduce the probability of this happening again?


     Use a dedicated machine as a web server with minimal install.
     Use anti-spoofing screening rules.
     Audit hosts so you find weak code first.
     Train staff (or arrange for some else to).


4) What should I do to make detection of a hack easier?


    Tripwire your web pages ?
    Record logs on a safe host (by serial line ?)
    Log access to a few decoy files not normally used.


I still don't have the "smoking gun"



03:32:xx        created [...] list of all
                SUID executables. The file is created nobody:nobody
                indicating that it probably was created by tricking a
                cgi.
03:32:xx        /* is accessed
03:39:xx        created a small SUID/GUID executable file
                "/mnt/usr/bin/sh2" which is owned by root:root and
                contains the string "/bin/sh"


Some local exploit with a setuid program ?  Want to check the
access times on all of them ?

--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################
Previous By Date Next
Previous By Thread Next

Current thread: