Re: OK, I've been hacked, now what?

["Ryan Russell" <Ryan.Russell () sybase com>]

> 1) What should I do now?

You've done far more than most people know how to do.
I don't see much more to do... possibly you could go through
some heroic disk-scraping efforts to figure out *exactly*
which hole was used.

> 2) What should I have done differently?

Well, removing known-bad CGI scripts and/or not
putting/leaving unused CGI scripts on the host.  Periodic,
through CGI audits.

> 3) What should I do to reduce the probability of this happening again?

Audit the web server.  Looks like not everything was done through
port 80.. some sort of firewalling.. perhaps dump other services in favor of
SSH?

4) What should I do to make detection of a hack easier?

You *did* detect it... after the fact.  You might consider scraping logs
looking for known patterns.  I would also recommend sending logs
to another host, live.  The other school of thought is that if you keep
up on the latest holes (and block them) then there is nothing to
detect, since detectors rely on knowing about the holes ahead of time
too.  (i.e. why bother to detect the PHF hole, when you can just remove it?)

To contradict myself again... you might want to detect it so you know when
there is an *attempt*.  See old threads on whether to put your IDS inside or
outside of the firewall... or both.

> I still don't have the "smoking gun" that says exactly how he got root
> access. Opinions and conclusions from the above chronology are welcomed.

I got the impression from your note that it was the handler.cgi.  Are you not
convinced?

                              Ryan