Security Incidents mailing list archives

Re: backdoor

From: Jonas M Luster <jluster () d-fensive com>
Date: Sun, 23 Jun 2002 13:06:49 -0700

Quoting Hugo van der Kooij (hvdkooij () vanderkooij org):

hi, My box was compromised, and i cant rm a binary
that listens over tcp, i need help support, watch:


S.O.P. (Standard Operating Procedures) describe that a compromised box 
should be considere lost and be installed from scratch.


S.O.P: Someone broke into my house and stole my TV. Let's just go
ahead and level the whole building and build a new one. S.O.P in this
case stands for Severely Overreacting Professional.

From the SOP I usually hand out:


| What to do if your system appears compromised:
| ==============================================
| 
| * Ensure isolation on router/switch level. Do not prohibit traffic
|   out, but ensure the safety of your systems and the 'net. Some
|   systems are boobie-trapped to destroy themselves and all evidence
|   when put into isolation (simple ping, triggering a fdisk can do
|   that).
| 
| * Perform standard forensic analysis on compromised system. Compare
|   MD5 or SHA checksums with those auto-archived during the install and
|   on a weekly basis (you don't have them? What are you doing on the
|   'net calling yourself a professional or even administrator)
| 
| * Can you - without the shadow of a doubt - explain the incident? If
|   yes, restore your system and go back to work. If not...
| 
| * Ensure there are no boobietraps in the system that destroy evidence
|   when shutdown. Make sure you already checked memory and other
|   volatile parts of the system before shutting it down.
| 
| * What are the implications of shutting the system down hard (pull the
|   plug? If you are unsure, check the 'net. Decide how to take the
|   system down.
| 
| * Mount the system's HDs in a known safe machine. Mount r/o.
| 
| * Perform standard forensic work - use TCT or TASK to do so.
| 
| * Can you - without the shadow of a doubt - explain the incident? If
|   yes, restore your system and go back to work. If not...
| 
| * Call someone who knows. Your system may not be the only compromised
|   system in the network. The way in might have been used elsewhere.
|   Ensure your network is safe.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
  - Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
  - Re: backdoor Jonas M Luster (Jun 23)
    - Re: backdoor Kyle R. Hofmann (Jun 24)
    - Message not available
    - Re: backdoor Jonas M Luster (Jun 24)
    - Re: backdoor Hugo van der Kooij (Jun 26)
    - Re: backdoor Greg A. Woods (Jun 26)
    - Message not available
    - Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
    - RE: [incidents] Re: backdoor Don Weber (Jun 26)
  - Re: backdoor Mike Lewinski (Jun 23)
    - Re: backdoor Eric Rostetter (Jun 26)
- <Possible follow-ups>
- RE: backdoor Rob Keown (Jun 23)
- Re: backdoor Christopher L Calvert (Jun 25)

(Thread continues...)