Security Incidents mailing list archives
Re: Recovering from a penetrator, the easy way
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Wed, 11 Oct 2000 18:06:09 -0700
First, I did a find of the drive, with -ls, to get a listing of the files. Installed was the t0rnkit, a sniffer and rogue sshd. He also left wuftpd-god on the box, of which I was not susceptible. He got into my box using an account that was vestigial from a previous machine I migrated to that box. It turns out he got root though old NFS utils. The purpose of my message is to detail how I found his 'updated' programs and how to replace them. First, there are 2 utils in RH that are really handy: find and stat.
Perry, Don't assume the job is that easy all the time. ;) The method you describe will work with standard "rootkits", but it won't work with loadable kernel modules, and it also walks all over the file system modifying last access times, which makes it difficult to tell other aspects of what happened on the system. (And also doesn't catch things that were loaded onto, then deleted, from the file system, which can tell you a LOT more about what happened.) Loadable kernel modules will make "find" and "stat" not even see certain files, so you can't tell exactly when the intrusion took place, and doesn't replace any standard operating system files, so you won't notice modify/change timestamps variance on them. I have a write-up on rootkits and LKMs you might find helpful: http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq A more reliable way, and one that preserves evidence for possible prosecution, is to do bit-image copies of the hard drives, and analyze them with tools like The Coroner's Toolkit. I also have a write-up on doing forensic analysis of Unix systems: http://staff.washington.edu/dittrich/misc/forensics/ Although I should also mention that some of these tools don't work on AIX, HP/UX, or IRIX, so there still is much pain to be felt in finding and eradicating intruders. -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- Recovering from a penetrator, the easy way Harrington, Perry (Oct 11)
- Re: Recovering from a penetrator, the easy way Dave Dittrich (Oct 12)