Firewall Wizards mailing list archives
Re: OK, I've been hacked, now what?
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Fri, 2 Apr 1999 14:15:21 -0800
1) What should I do now?
You've done far more than most people know how to do. I don't see much more to do... possibly you could go through some heroic disk-scraping efforts to figure out *exactly* which hole was used.
2) What should I have done differently?
Well, removing known-bad CGI scripts and/or not putting/leaving unused CGI scripts on the host. Periodic, through CGI audits.
3) What should I do to reduce the probability of this happening again?
Audit the web server. Looks like not everything was done through port 80.. some sort of firewalling.. perhaps dump other services in favor of SSH? 4) What should I do to make detection of a hack easier? You *did* detect it... after the fact. You might consider scraping logs looking for known patterns. I would also recommend sending logs to another host, live. The other school of thought is that if you keep up on the latest holes (and block them) then there is nothing to detect, since detectors rely on knowing about the holes ahead of time too. (i.e. why bother to detect the PHF hole, when you can just remove it?) To contradict myself again... you might want to detect it so you know when there is an *attempt*. See old threads on whether to put your IDS inside or outside of the firewall... or both.
I still don't have the "smoking gun" that says exactly how he got root access. Opinions and conclusions from the above chronology are welcomed.
I got the impression from your note that it was the handler.cgi. Are you not convinced? Ryan
Current thread:
- OK, I've been hacked, now what? sedwards (Apr 01)
- <Possible follow-ups>
- Re: OK, I've been hacked, now what? Antonomasia (Apr 02)
- Re: OK, I've been hacked, now what? sedwards (Apr 30)
- Re: OK, I've been hacked, now what? Ryan Russell (Apr 03)