subject: (Fwd) compromised cleanup (was Re: Ramen)
posted: Wed, 24 Jan 2001 17:24:07 -0000


Matt: my box has been compromised, how can I make it safe
again?

------- Forwarded message follows -------
Date sent: Mon, 22 Jan 2001 16:43:09 -0800
Send reply to: Dave Dittrich <[email protected]>
From: Dave Dittrich <[email protected]>
Subject: Re: Ramen
Originally to: Brian Taylor <[email protected]>
To: [email protected]

> Matt, generally (well, actually 99.999% of the time), the rule is to
> totally reformat whenever there has been a root level compromise.
> Go to your old backups, restore from there. Have a stiff drink, for
> that box is history.

My rule #0 is get an image copy before doing your rule #1.
Yes, trying to "clean up" is nearly futile, but properly handling
the incident is important.

> But for future reference, check the file attributes...

One of the main reasons for doing my rule #0 is because you may not
think of this until after you've already re-formatted, at which point
its too late. There are lots of things you should check, including
file attributes, but you won't remember them all, let alone do them
all, in the three hour time window you might give yourself.

I still suggest spending the extra hour or so to get an image copy
first, which you can then come back to at a later date (even hand
over to law enforcement if AFOSI calls you two years later and asks to
see logs from the system -- this DOES happen.)

> But I wouldn't spend any more time on that box. It's rooted.
> Restore from backups. Take a look at Bastille and Tripwire for the
> future!

As a learning experience, there is a lot you can gain from spending
more time analyzing it, provided you have the time and you want to
learn. Bastille helps prevent future problems, and Tripwire (as long
as you don't get an LKM installed) can help identify future problems,
but you don't get "in the trenches" learning if you never leave
the couch. (P.S. Some things that come back from backups you DON'T
want on your system, so even this advice should have its caveats.)

--
Dave Dittrich Computing & Communications
[email protected] Client Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


------- End of forwarded message -------

---
* Origin: [adminz] tech, security, support (192.168.0.2)

generated by msg2page 0.06 on Jul 21, 2006 at 19:04:53

 search: