Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Recovering from a penetrator, the easy way

From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Wed, 11 Oct 2000 18:06:09 -0700
First, I did a find of the drive, with -ls, to get a listing of the files.

Installed was the t0rnkit, a sniffer and rogue sshd.

He also left wuftpd-god on the box, of which I was not susceptible.  He got
into my box using an account that was vestigial from a previous machine I
migrated to that box.  It turns out he got root though old NFS utils.

The purpose of my message is to detail how I found his 'updated' programs
and how to replace them.

First, there are 2 utils in RH that are really handy: find and stat.


Perry,

Don't assume the job is that easy all the time. ;)

The method you describe will work with standard "rootkits", but it won't
work with loadable kernel modules, and it also walks all over the file
system modifying last access times, which makes it difficult to tell other
aspects of what happened on the system. (And also doesn't catch things
that were loaded onto, then deleted, from the file system, which can
tell you a LOT more about what happened.)

Loadable kernel modules will make "find" and "stat" not even see certain
files, so you can't tell exactly when the intrusion took place, and
doesn't replace any standard operating system files, so you won't notice
modify/change timestamps variance on them.

I have a write-up on rootkits and LKMs you might find helpful:

        http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

A more reliable way, and one that preserves evidence for possible
prosecution, is to do bit-image copies of the hard drives, and
analyze them with tools like The Coroner's Toolkit.  I also have
a write-up on doing forensic analysis of Unix systems:

        http://staff.washington.edu/dittrich/misc/forensics/

Although I should also mention that some of these tools don't work on
AIX, HP/UX, or IRIX, so there still is much pain to be felt in finding
and eradicating intruders.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Previous By Date Next
Previous By Thread Next

Current thread: